summaryrefslogtreecommitdiff
path: root/src/man/sssd.conf.5.xml
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-06-25 11:34:33 +0200
committerStephen Gallagher <sgallagh@redhat.com>2012-06-25 07:36:40 -0400
commita8781a38b5fca84647d59199fd0b0b4b2d4624e0 (patch)
treee4ab493ec21c83363699df9a3ff3ba7eec5ad157 /src/man/sssd.conf.5.xml
parente5e8252ec48bfdd4e7529debc705c8e090264b9a (diff)
downloadsssd-a8781a38b5fca84647d59199fd0b0b4b2d4624e0.tar.gz
sssd-a8781a38b5fca84647d59199fd0b0b4b2d4624e0.tar.bz2
sssd-a8781a38b5fca84647d59199fd0b0b4b2d4624e0.zip
Add man page section for the PAC responder
Diffstat (limited to 'src/man/sssd.conf.5.xml')
-rw-r--r--src/man/sssd.conf.5.xml36
1 files changed, 36 insertions, 0 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index bdf2543b..6c57571e 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -90,6 +90,7 @@
<phrase condition="with_sudo">, sudo</phrase>
<phrase condition="with_autofs">, autofs</phrase>
<phrase condition="with_ssh">, ssh</phrase>
+ <phrase condition="with_pac_responder">, pac</phrase>
</para>
</listitem>
</varlistentry>
@@ -813,6 +814,41 @@
</variablelist>
</refsect2>
+ <refsect2 id='PAC_RESPONDER' condition="with_pac_responder">
+ <title>PAC responder configuration options</title>
+ <para>
+ Currently there are no PAC responder specific configuration
+ options.
+ </para>
+ <para>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="include/experimental.xml" />
+ </para>
+ <para>
+ The PAC responder works together with the authorization data
+ plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain
+ provider. The plugin sends the PAC data during a GSSAPI
+ authentication to the PAC responder. The sub-domain provider
+ collects domain SID and ID ranges of the domain the client is
+ joined to and of remote trusted domains from the local domain
+ controller. If the PAC is decoded and evaluated some of the
+ following operations are done:
+ <itemizedlist>
+ <listitem><para>If the remote user does not exist in the
+ cache, it is created. The uid is calculated based on the
+ SID, trusted domains will have UPGs and the gid will have
+ the same value as the uid. The home directory is set based
+ on the subdomain_homedir parameter. The shell will be empty
+ by default, i.e. the system defaults are used, but can be
+ overwritten with the default_shell parameter.</para>
+ </listitem>
+ <listitem><para>If there are SIDs of groups from the domain
+ the sssd client belongs to, the user will be added to those
+ groups.</para></listitem>
+ </itemizedlist>
+ </para>
+ </refsect2>
+
</refsect1>
<refsect1 id='domain-sections'>