diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2010-02-18 07:49:04 -0500 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-02-18 13:48:45 -0500 |
| commit | 1c48b5a62f73234ed26bb20f0ab345ab61cda0ab (patch) | |
| tree | 0b6cddd567a862e1a7b5df23764869782a62ca78 /src/man | |
| parent | 8c56df3176f528fe0260974b3bf934173c4651ea (diff) | |
| download | sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.tar.gz sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.tar.bz2 sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.zip | |
Rename server/ directory to src/
Also update BUILD.txt
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/include/failover.xml | 42 | ||||
| -rw-r--r-- | src/man/include/param_help.xml | 10 | ||||
| -rw-r--r-- | src/man/include/upstream.xml | 4 | ||||
| -rw-r--r-- | src/man/sss_groupadd.8.xml | 81 | ||||
| -rw-r--r-- | src/man/sss_groupdel.8.xml | 69 | ||||
| -rw-r--r-- | src/man/sss_groupmod.8.xml | 95 | ||||
| -rw-r--r-- | src/man/sss_groupshow.8.xml | 76 | ||||
| -rw-r--r-- | src/man/sss_useradd.8.xml | 191 | ||||
| -rw-r--r-- | src/man/sss_userdel.8.xml | 105 | ||||
| -rw-r--r-- | src/man/sss_usermod.8.xml | 150 | ||||
| -rw-r--r-- | src/man/sssd-ipa.5.xml | 159 | ||||
| -rw-r--r-- | src/man/sssd-krb5.5.xml | 250 | ||||
| -rw-r--r-- | src/man/sssd-ldap.5.xml | 688 | ||||
| -rw-r--r-- | src/man/sssd.8.xml | 148 | ||||
| -rw-r--r-- | src/man/sssd.conf.5.xml | 808 | ||||
| -rw-r--r-- | src/man/sssd_krb5_locator_plugin.8.xml | 89 |
16 files changed, 2965 insertions, 0 deletions
diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml new file mode 100644 index 00000000..efe3ee42 --- /dev/null +++ b/src/man/include/failover.xml @@ -0,0 +1,42 @@ +<refsect1 id='failover'> + <title>FAILOVER</title> + <para> + The failover feature allows back ends to automatically switch to + a different server if the primary server fails. + </para> + <refsect2 id='failover_syntax'> + <title>Failover Syntax</title> + <para> + The list of servers is given as a comma-separated list; any + number of spaces is allowed around the comma. The servers are + listed in order of preference. The list can contain any number + of servers. + </para> + </refsect2> + <refsect2 id='failover_mechanism'> + <title>The Failover Mechanism</title> + <para> + The failover mechanism distinguishes between a machine and a + service. The back end first tries to resolve the hostname of a + given machine; if this resolution attempt fails, the machine is + considered offline. No further attempts are made to connect + to this machine for any other service. If the resolution + attempt succeeds, the back end tries to connect to a service + on this machine. If the service connection attempt fails, + then only this particular service is considered offline and + the back end automatically switches over to the next service. + The machine is still considered online and might still be tried + for another service. + </para> + <para> + Further connection attempts are made to machines or services + marked as offline after a specified period of time; this is + currently hard coded to 30 seconds. + </para> + <para> + If there are no more machines to try, the back end as a whole + switches to offline mode, and then attempts to reconnect + every 30 seconds. + </para> + </refsect2> +</refsect1> diff --git a/src/man/include/param_help.xml b/src/man/include/param_help.xml new file mode 100644 index 00000000..a2478bf2 --- /dev/null +++ b/src/man/include/param_help.xml @@ -0,0 +1,10 @@ +<varlistentry> + <term> + <option>-h</option>,<option>--help</option> + </term> + <listitem> + <para> + Display help message and exit. + </para> + </listitem> +</varlistentry> diff --git a/src/man/include/upstream.xml b/src/man/include/upstream.xml new file mode 100644 index 00000000..b6f633cc --- /dev/null +++ b/src/man/include/upstream.xml @@ -0,0 +1,4 @@ +<refentryinfo> + <productname>SSSD</productname> + <orgname>The SSSD upstream - http://fedorahosted.org/sssd</orgname> +</refentryinfo> diff --git a/src/man/sss_groupadd.8.xml b/src/man/sss_groupadd.8.xml new file mode 100644 index 00000000..15b7ea5a --- /dev/null +++ b/src/man/sss_groupadd.8.xml @@ -0,0 +1,81 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_groupadd</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_groupadd</refname> + <refpurpose>create a new group</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_groupadd</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>GROUP</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_groupadd</command> creates a new group. These groups are compatible + with POSIX groups, with the additional feature that they can contain other groups + as members. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-g</option>,<option>--gid</option> + <replaceable>GID</replaceable> + </term> + <listitem> + <para> + Set the GID of the group to the value of <replaceable>GID</replaceable>. + If not given, it is chosen automatically. + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sss_groupdel.8.xml b/src/man/sss_groupdel.8.xml new file mode 100644 index 00000000..22f4fca0 --- /dev/null +++ b/src/man/sss_groupdel.8.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_groupdel</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_groupdel</refname> + <refpurpose>create a new group</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_groupdel</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>GROUP</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_groupdel</command> deletes a group + identified by its name <replaceable>GROUP</replaceable> + from the system. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sss_groupmod.8.xml b/src/man/sss_groupmod.8.xml new file mode 100644 index 00000000..b2226e2e --- /dev/null +++ b/src/man/sss_groupmod.8.xml @@ -0,0 +1,95 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_groupmod</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_groupmod</refname> + <refpurpose>modify a group</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_groupmod</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>GROUP</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_groupmod</command> modifies the + group to reflect the changes that are specified on + the command line. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-a</option>,<option>--append-group</option> + <replaceable>GROUPS</replaceable> + </term> + <listitem> + <para> + Append this group to groups specified by the + <replaceable>GROUPS</replaceable> parameter. + The <replaceable>GROUPS</replaceable> parameter + is a comma separated list of group names. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-r</option>,<option>--remove-group</option> + <replaceable>GROUPS</replaceable> + </term> + <listitem> + <para> + Remove this group from groups specified by the + <replaceable>GROUPS</replaceable> parameter. + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sss_groupshow.8.xml b/src/man/sss_groupshow.8.xml new file mode 100644 index 00000000..13e2dfcb --- /dev/null +++ b/src/man/sss_groupshow.8.xml @@ -0,0 +1,76 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_groupshow</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_groupshow</refname> + <refpurpose>print properties of a group</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_groupshow</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>GROUP</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_groupshow</command> displays information about a group + identified by its name <replaceable>GROUP</replaceable>. The information + includes the group ID number, members of the group and the parent group. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-R</option>,<option>--recursive</option> + </term> + <listitem> + <para> + Also print indirect group members in a tree-like hierarchy. + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sss_useradd.8.xml b/src/man/sss_useradd.8.xml new file mode 100644 index 00000000..7620ffda --- /dev/null +++ b/src/man/sss_useradd.8.xml @@ -0,0 +1,191 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_useradd</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_useradd</refname> + <refpurpose>create a new user</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_useradd</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>LOGIN</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_useradd</command> creates a new user account using + the values specified on the command line plus the default values from + the system. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-u</option>,<option>--uid</option> + <replaceable>UID</replaceable> + </term> + <listitem> + <para> + Set the UID of the user to the value of <replaceable>UID</replaceable>. + If not given, it is chosen automatically. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-g</option>,<option>--gid</option> + <replaceable>GID</replaceable> + </term> + <listitem> + <para> + Set the GID or group membership of the user to the value + of <replaceable>GID</replaceable>. If not given, it is + chosen automatically. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-c</option>,<option>--gecos</option> + <replaceable>COMMENT</replaceable> + </term> + <listitem> + <para> + Any text string describing the user. Often used as + the field for the user's full name. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-h</option>,<option>--home</option> + <replaceable>HOME_DIR</replaceable> + </term> + <listitem> + <para> + The home directory of the user account. + The default is to append the <replaceable>LOGIN</replaceable> name + to <filename>/home</filename> and use that as the home directory. + The base that is prepended before <replaceable>LOGIN</replaceable> is tunable + with <quote>user_defaults/baseDirectory</quote> setting in sssd.conf. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-s</option>,<option>--shell</option> + <replaceable>SHELL</replaceable> + </term> + <listitem> + <para> + The user's login shell. The default is currently <filename>/bin/bash</filename>. + The default can be changed with + <quote>user_defaults/defaultShell</quote> setting + in sssd.conf. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-G</option>,<option>--groups</option> + <replaceable>GROUPS</replaceable> + </term> + <listitem> + <para> + A list of existing groups this user is also a member of. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-m</option>,<option>--create-home</option> + </term> + <listitem> + <para> + Create the user's home directory if it does not + exist. The files and directories contained in the + skeleton directory (which can be defined with the + -k option or in the config file) will be copied + to the home directory. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-M</option>,<option>--no-create-home</option> + </term> + <listitem> + <para> + Do not create the user's home directory. Overrides + configuration settings. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-k</option>,<option>--skel</option> + <replaceable>SKELDIR</replaceable> + </term> + <listitem> + <para> + The skeleton directory, which contains files + and directories to be copied in the user's home + directory, when the home directory is + created by <command>sss_useradd</command>. + </para> + <para> + This option is only valid if the <option>-m</option> + (or <option>--create-home</option>) option is + specified, or creation of home directories is set to TRUE + in the configuration. + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sss_userdel.8.xml b/src/man/sss_userdel.8.xml new file mode 100644 index 00000000..0c495297 --- /dev/null +++ b/src/man/sss_userdel.8.xml @@ -0,0 +1,105 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_userdel</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_userdel</refname> + <refpurpose>delete a user account</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_userdel</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>LOGIN</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_userdel</command> deletes a user + identified by login name <replaceable>LOGIN</replaceable> + from the system. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + <varlistentry> + <term> + <option>-r</option>,<option>--remove</option> + </term> + <listitem> + <para> + Files in the user's home directory will be + removed along with the home directory itself and + the user's mail spool. Overrides the configuration. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-R</option>,<option>--no-remove</option> + </term> + <listitem> + <para> + Files in the user's home directory will NOT be + removed along with the home directory itself and + the user's mail spool. Overrides the configuration. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-f</option>,<option>--force</option> + </term> + <listitem> + <para> + This option forces <command>sss_userdel</command> + to remove the user's home directory and mail spool, + even if they are not owned by the specified user. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sss_usermod.8.xml b/src/man/sss_usermod.8.xml new file mode 100644 index 00000000..b94fc738 --- /dev/null +++ b/src/man/sss_usermod.8.xml @@ -0,0 +1,150 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_usermod</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_usermod</refname> + <refpurpose>modify a user account</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_usermod</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>LOGIN</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_usermod</command> modifies the + account specified by <replaceable>LOGIN</replaceable> + to reflect the changes that are specified on the command line. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-c</option>,<option>--gecos</option> + <replaceable>COMMENT</replaceable> + </term> + <listitem> + <para> + Any text string describing the user. Often used as + the field for the user's full name. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-h</option>,<option>--home</option> + <replaceable>HOME_DIR</replaceable> + </term> + <listitem> + <para> + The home directory of the user account. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-s</option>,<option>--shell</option> + <replaceable>SHELL</replaceable> + </term> + <listitem> + <para> + The user's login shell. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-a</option>,<option>--append-group</option> + <replaceable>GROUPS</replaceable> + </term> + <listitem> + <para> + Append this user to groups specified by the + <replaceable>GROUPS</replaceable> parameter. + The <replaceable>GROUPS</replaceable> parameter + is a comma separated list of group names. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-r</option>,<option>--remove-group</option> + <replaceable>GROUPS</replaceable> + </term> + <listitem> + <para> + Remove this user from groups specified by the + <replaceable>GROUPS</replaceable> parameter. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-l</option>,<option>--lock</option> + </term> + <listitem> + <para> + Lock the user account. The user won't be able + to log in. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-u</option>,<option>--unlock</option> + </term> + <listitem> + <para> + Unlock the user account. + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml new file mode 100644 index 00000000..d1ba1c52 --- /dev/null +++ b/src/man/sssd-ipa.5.xml @@ -0,0 +1,159 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd-ipa</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd-ipa</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + This manual page describes the configuration of the IPA provider + for + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>. + For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page. + </para> + <para> + The IPA provider is a back end used to connect to an IPA server. + (Refer to the freeipa.org web site for information about IPA servers.) + This provider requires that the machine be joined to the IPA domain; + configuration is almost entirely self-discovered and obtained + directly from the server. + </para> + <para> + The IPA provider accepts the same options used by the + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> identity provider and the + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> authentication provider. + However, it is neither necessary nor recommended to set these options. + </para> + </refsect1> + + <refsect1 id='file-format'> + <title>CONFIGURATION OPTIONS</title> + <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page for details on the configuration of an SSSD domain. + <variablelist> + <varlistentry> + <term>ipa_domain (string)</term> + <listitem> + <para> + Specifies the name of the IPA domain. + This is optional. If not provided, the configuration + domain name is used. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ipa_server (string)</term> + <listitem> + <para> + The list of IP addresses or hostnames of the + IPA servers to which SSSD should connect in + the order of preference. For more information + on failover and server redundancy, see the + <quote>FAILOVER</quote> section. + This is optional if autodiscovery is enabled. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ipa_hostname (string)</term> + <listitem> + <para> + Optional. May be set on machines where the + hostname(5) does not reflect the fully qualified + name used in the IPA domain to identify this host. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_validate (boolean)</term> + <listitem> + <para> + Verify with the help of krb5_keytab that the TGT + obtained has not been spoofed. + </para> + <para> + Default: true + </para> + <para> + Note that this default differs from the + traditional Kerberos provider back end. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> + + <refsect1 id='example'> + <title>EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and example.com is one of the domains in the + <replaceable>[sssd]</replaceable> section. This examples shows only + the ipa provider-specific options. + </para> + <para> +<programlisting> + [domain/example.com] + id_provider = ipa + ipa_server = ipaserver.example.com + ipa_hostname = myhost.example.com +</programlisting> + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml new file mode 100644 index 00000000..32b6c293 --- /dev/null +++ b/src/man/sssd-krb5.5.xml @@ -0,0 +1,250 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd-krb5</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd-krb5</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + This manual page describes the configuration of the Kerberos + 5 authentication backend for + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>. + For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page + </para> + <para> + The Kerberos 5 authentication backend does not contain an identity + provider and must be paired with one in order to function properly (for + example, id_provider = ldap). Some information required by the Kerberos + 5 authentication backend must be provided by the identity provider, such + as the user's Kerberos Principal Name (UPN). The configuration of the + identity provider should have an entry to specify the UPN. Please refer + to the man page for the applicable identity provider for details on how + to configure this. + </para> + <para> + In the case where the UPN is not available in the identity backend + <command>sssd</command> will construct a UPN using the format + <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>. + </para> + + </refsect1> + + <refsect1 id='file-format'> + <title>CONFIGURATION OPTIONS</title> + <para> + If the auth-module krb5 is used in a SSSD domain, the following + options must be used. See the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote> + for details on the configuration of a SSSD domain. + <variablelist> + <varlistentry> + <term>krb5_kdcip (string)</term> + <listitem> + <para> + Specifies the list of IP addresses or hostnames + of the Kerberos servers to which SSSD should + connect in the order of preference. For more + information on failover and server redundancy, + see the <quote>FAILOVER</quote> section. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_realm (string)</term> + <listitem> + <para> + The name of the Kerberos realm. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_changepw_principal (string)</term> + <listitem> + <para> + The priciple of the change password service. + If only the 'identifier/instance' part of the + principal are given the realm part is added + automatically. + </para> + <para> + Default: kadmin/changepw + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_ccachedir (string)</term> + <listitem> + <para> + Directory to store credential caches. + </para> + <para> + Default: /tmp + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_ccname_template (string)</term> + <listitem> + <para> + Location of the user's credential cache. Currently + only file based credential caches are supported. In + the template the following sequences are + substituted: + <variablelist> + <varlistentry> + <term>%u</term> + <listitem><para>login name</para></listitem> + </varlistentry> + <varlistentry> + <term>%U</term> + <listitem><para>login UID</para></listitem> + </varlistentry> + <varlistentry> + <term>%p</term> + <listitem><para>principal name</para> + </listitem> + </varlistentry> + <varlistentry> + <term>%r</term> + <listitem><para>realm name</para></listitem> + </varlistentry> + <varlistentry> + <term>%h</term> + <listitem><para>home directory</para> + </listitem> + </varlistentry> + <varlistentry> + <term>%d</term> + <listitem><para>value of krb5ccache_dir + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>%P</term> + <listitem><para>the process ID of the sssd + client</para> + </listitem> + </varlistentry> + <varlistentry> + <term>%%</term> + <listitem><para>a literal '%'</para> + </listitem> + </varlistentry> + </variablelist> + If the template ends with 'XXXXXX' mkstemp(3) is + used to create a unique filename in a safe way. + </para> + <para> + Default: FILE:%d/krb5cc_%U_XXXXXX + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_auth_timeout (integer)</term> + <listitem> + <para> + Timeout in seconds after an online authentication or + change password request is aborted. If possible the + authentication request is continued offline. + </para> + <para> + Default: 15 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_validate (boolean)</term> + <listitem> + <para> + Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_keytab (string)</term> + <listitem> + <para> + The location of the keytab to use when validating + credentials obtained from KDCs. + </para> + <para> + Default: /etc/krb5.keytab + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> + + <refsect1 id='example'> + <title>EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and FOO is one of the domains in the + <replaceable>[sssd]</replaceable> section. This example shows + only configuration of Kerberos authentication, it does not include + any identity provider. + </para> + <para> +<programlisting> + [domain/FOO] + auth_provider = krb5 + krb5_kdcip = 192.168.1.1 + krb5_realm = EXAMPLE.COM +</programlisting> + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml new file mode 100644 index 00000000..b79cbbc9 --- /dev/null +++ b/src/man/sssd-ldap.5.xml @@ -0,0 +1,688 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd-ldap</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd-ldap</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + This manual page describes the configuration of LDAP + domains for + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>. + Refer to the <quote>FILE FORMAT</quote> section of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page for detailed syntax information.</para> + <para> + You can configure SSSD to use more than one LDAP domain. + </para> + <para> + If you want to authenticate against an LDAP server then TLS/SSL is + required. <command>sssd</command> <emphasis>does not</emphasis> + support authentication over an unencrypted channel. If the LDAP + server is used only as an identify provider, an encrypted channel + is not needed. + </para> + </refsect1> + + <refsect1 id='file-format'> + <title>CONFIGURATION OPTIONS</title> + <para> + All of the common configuration options that apply to SSSD domains also apply + to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page for full details. + + <variablelist> + <varlistentry> + <term>ldap_uri (string)</term> + <listitem> + <para> + Specifies the list of URIs of the LDAP servers to which + SSSD should connect in the order of preference. Refer to the + <quote>FAILOVER</quote> section for more information on failover and server redundancy. + </para> + <para> + Default: ldap://localhost + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_search_base (string)</term> + <listitem> + <para> + The default base DN to use for + performing LDAP user operations. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_schema (string)</term> + <listitem> + <para> + Specifies the Schema Type in use on the target LDAP + server. + Depending on the selected schema, the default + attribute names retrieved from the servers may vary. + The way that some attributes are handled may also differ. + + Two schema types are currently supported: + rfc2307 + rfc2307bis + + The main difference between these two schema types is + how group memberships are recorded in the server. + With rfc2307, group members are listed by name in the + <emphasis>memberUid</emphasis> attribute. + With rfc2307bis, group members are listed by DN and + stored in the <emphasis>member</emphasis> attribute. + + </para> + <para> + Default: rfc2307 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_default_bind_dn (string)</term> + <listitem> + <para> + The default bind DN to use for + performing LDAP operations. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_default_authtok_type (string)</term> + <listitem> + <para> + The type of the authentication token of the + default bind DN. The only currently supported value is "password". + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_default_authtok (string)</term> + <listitem> + <para> + The authentication token of the default bind DN. + Only clear text passwords are currently supported. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_search_base (string)</term> + <listitem> + <para> + An optional base DN to restrict user searches + to a specific subtree. + </para> + <para> + Default: the value of + <emphasis>ldap_search_base</emphasis> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_object_class (string)</term> + <listitem> + <para> + The object class of a user entry in LDAP. + </para> + <para> + Default: posixAccount + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_name (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's login name. + </para> + <para> + Default: uid + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_uid_number (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's id. + </para> + <para> + Default: uidNumber + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_gid_number (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's primary group id. + </para> + <para> + Default: gidNumber + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_gecos (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's gecos field. + </para> + <para> + Default: gecos + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_home_directory (string)</term> + <listitem> + <para> + The LDAP attribute that contains the name of the user's + home directory. + </para> + <para> + Default: homeDirectory + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_shell (string)</term> + <listitem> + <para> + The LDAP attribute that contains the path to the + user's default shell. + </para> + <para> + Default: loginShell + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_uuid (string)</term> + <listitem> + <para> + The LDAP attribute that contains the UUID/GUID of + an LDAP user object. + </para> + <para> + Default: nsUniqueId + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_principal (string)</term> + <listitem> + <para> + The LDAP attribute that contains the user's Kerberos + User Principle Name (UPN). + </para> + <para> + Default: krbPrincipalName + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_force_upper_case_realm (boolean)</term> + <listitem> + <para> + Some directory servers, for example Active Directory, + might deliver the realm part of the UPN in lower case, + which might cause the authentication to fail. Set this + option to a non-zero value if you want to use an + upper-case realm. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_fullname (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + user's full name. + </para> + <para> + Default: cn + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_member_of (string)</term> + <listitem> + <para> + The LDAP attribute that lists the user's + group memberships. + </para> + <para> + Default: memberOf + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_search_base (string)</term> + <listitem> + <para> + An optional base DN to restrict group searches + to a specific subtree. + </para> + <para> + Default: the value of + <emphasis>ldap_search_base</emphasis> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_object_class (string)</term> + <listitem> + <para> + The object class of a group entry in LDAP. + </para> + <para> + Default: posixGroup + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_name (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to + the group name. + </para> + <para> + Default: cn + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_gid_number (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to the + group's id. + </para> + <para> + Default: gidNumber + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_member (string)</term> + <listitem> + <para> + The LDAP attribute that contains the names of + the group's members. + </para> + <para> + Default: memberuid (rfc2307) / member (rfc2307bis) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_group_uuid (string)</term> + <listitem> + <para> + The LDAP attribute that contains the UUID/GUID of + an LDAP group object. + </para> + <para> + Default: nsUniqueId + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_network_timeout (integer)</term> + <listitem> + <para> + Specifies the timeout (in seconds) after which + the + <citerefentry> + <refentrytitle>poll</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry>/<citerefentry> + <refentrytitle>select</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry> + following a + <citerefentry> + <refentrytitle>connect</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry> + returns in case of no activity. + </para> + <para> + Default: 5 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_opt_timeout (integer)</term> + <listitem> + <para> + Specifies a timeout (in seconds) after which + calls to synchronous LDAP APIs will abort if no + response is received. Also controls the timeout + when communicating with the KDC in case of SASL bind. + </para> + <para> + Default: 5 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_reqcert (string)</term> + <listitem> + <para> + Specifies what checks to perform on server + certificates in a TLS session, if any. It + can be specified as one of the following + values: + </para> + <para> + <emphasis>never</emphasis> = The client will + not request or check any server certificate. + </para> + <para> + <emphasis>allow</emphasis> = The server + certificate is requested. If no certificate is + provided, the session proceeds normally. If a + bad certificate is provided, it will be ignored + and the session proceeds normally. + </para> + <para> + <emphasis>try</emphasis> = The server certificate + is requested. If no certificate is provided, the + session proceeds normally. If a bad certificate + is provided, the session is immediately terminated. + </para> + <para> + <emphasis>demand</emphasis> = The server + certificate is requested. If no certificate + is provided, or a bad certificate is provided, + the session is immediately terminated. + </para> + <para> + <emphasis>hard</emphasis> = Same as + <quote>demand</quote> + </para> + <para> + Default: hard + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_cacert (string)</term> + <listitem> + <para> + Specifies the file that contains certificates for + all of the Certificate Authorities that + <command>sssd</command> will recognize. + </para> + <para> + Default: use OpenLDAP defaults, typically in + <filename>/etc/openldap/ldap.conf</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_tls_cacertdir (string)</term> + <listitem> + <para> + Specifies the path of a directory that contains + Certificate Authority certificates in separate + individual files. Typically the file names need to + be the hash of the certificate followed by '.0'. + If available, <command>cacertdir_rehash</command> + can be used to create the correct names. + </para> + <para> + Default: use OpenLDAP defaults, typically in + <filename>/etc/openldap/ldap.conf</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_id_use_start_tls (boolean)</term> + <listitem> + <para> + Specifies that the id_provider connection must also + use <systemitem class="protocol">tls</systemitem> to protect the channel. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sasl_mech (string)</term> + <listitem> + <para> + Specify the SASL mechanism to use. + Currently only GSSAPI is tested and supported. + </para> + <para> + Default: none + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sasl_authid (string)</term> + <listitem> + <para> + Specify the SASL authorization id to use. + When GSSAPI is used, this represents the Kerberos + principal used for authentication to the directory. + </para> + <para> + Default: host/machine.fqdn@REALM + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_krb5_keytab (string)</term> + <listitem> + <para> + Specify the keytab to use when using SASL/GSSAPI. + </para> + <para> + Default: System keytab, normally <filename>/etc/krb5.keytab</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_krb5_init_creds (boolean)</term> + <listitem> + <para> + Specifies that the id_provider should init + Kerberos credentials (TGT). + This action is performed only if SASL is used and + the mechanism selected is GSSAPI. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_realm (string)</term> + <listitem> + <para> + Specify the Kerberos REALM (for SASL/GSSAPI auth). + </para> + <para> + Default: System defaults, see <filename>/etc/krb5.conf</filename> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_pwd_policy (string)</term> + <listitem> + <para> + Select the policy to evaluate the password + expiration on the client side. The following values + are allowed: + </para> + <para> + <emphasis>none</emphasis> - No evaluation on the + client side. This option cannot disable server-side + password policies. + </para> + <para> + <emphasis>shadow</emphasis> - Use + <citerefentry><refentrytitle>shadow</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> style + attributes to evaluate if the password has expired. + Note that the current version of sssd cannot + update this attribute during a password change. + </para> + <para> + <emphasis>mit_kerberos</emphasis> - Use the attributes + used by MIT Kerberos to determine if the password has + expired. Use chpass_provider=krb5 to update these + attributes when the password is changed. + </para> + <para> + Default: none + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_referrals (boolean)</term> + <listitem> + <para> + Specifies whether automatic referral chasing should + be enabled. + </para> + <para> + Please note that sssd only supports referral chasing + when it is compiled with OpenLDAP version 2.4.13 or + higher. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> + + <refsect1 id='example'> + <title>EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and LDAP is set to one of the domains in the + <replaceable>[domains]</replaceable> section. + </para> + <para> +<programlisting> + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + ldap_uri = ldap://ldap.mydomain.org + ldap_search_base = dc=mydomain,dc=org + ldap_tls_reqcert = demand + cache_credentials = true + enumerate = true +</programlisting> + </para> + </refsect1> + + <refsect1 id='notes'> + <title>NOTES</title> + <para> + The descriptions of some of the configuration options in this manual + page are based on the <citerefentry> + <refentrytitle>ldap.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page from the OpenLDAP 2.4 distribution. + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml new file mode 100644 index 00000000..5e45a336 --- /dev/null +++ b/src/man/sssd.8.xml @@ -0,0 +1,148 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sssd</refname> + <refpurpose>System Security Services Daemon</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sssd</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>SSSD</command> provides a set of daemons to manage access to remote + directories and authentication mechanisms. It provides an NSS and + PAM interface toward the system and a pluggable backend system to + connect to multiple different account sources as well as D-Bus + interface. It is also the basis to provide client auditing and + policy services for projects like FreeIPA. It provides a more robust database + to store local users as well as extended user data. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-d</option>,<option>--debug-level</option> + <replaceable>LEVEL</replaceable> + </term> + <listitem> + <para> + Debug level to run the daemon with. 0 is the default as well + as the lowest allowed value, 10 is the most verbose mode. This setting + overrides the settings from config file. This parameter implies <option>-i</option>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>debug_timestamps (bool)</term> + <listitem> + <para> + Add a timestamp to the debug messages + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-f</option>,<option>--debug-to-files</option> + </term> + <listitem> + <para> + Send the debug output to files instead of stderr. By default, the + log files are stored in <filename>/var/log/sssd</filename> and + there are separate log files for every SSSD service and domain. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-D</option>,<option>--daemon</option> + </term> + <listitem> + <para> + Become a daemon after starting up. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-i</option>,<option>--interactive</option> + </term> + <listitem> + <para> + Run in the foreground, don't become a daemon. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-c</option>,<option>--config</option> + </term> + <listitem> + <para> + Specify a non-default config file. The default is + <filename>/etc/sssd/sssd.conf</filename>. For reference + on the config file syntax and options, consult the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + manual page. + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml new file mode 100644 index 00000000..7b240c8f --- /dev/null +++ b/src/man/sssd.conf.5.xml @@ -0,0 +1,808 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd.conf</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='file-format'> + <title>FILE FORMAT</title> + + <para> + The file has an ini-style syntax and consists of sections and + parameters. A section begins with the name of the section in + square brackets and continues until the next section begins. An + example of section with single and multi-valued parameters: + <programlisting> + <replaceable>[section]</replaceable> + <replaceable>key</replaceable> = <replaceable>value</replaceable> + <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable> + </programlisting> + </para> + + <para> + The data types used are string (no quotes needed), integer + and bool (with values of <quote>TRUE/FALSE</quote>). + </para> + + <para> + A line comment starts with a hash sign (<quote>#</quote>) or a + semicolon (<quote>;</quote>) + </para> + + <para> + All sections can have an optional + <replaceable>description</replaceable> parameter. Its function + is only as a label for the section. + </para> + + <para> + <filename>sssd.conf</filename> must be a regular file, owned by + root and only root may read from or write to the file. + </para> + </refsect1> + + <refsect1 id='special-sections'> + <title>SPECIAL SECTIONS</title> + + <refsect2 id='services'> + <title>The [sssd] section</title> + <para> + Individual pieces of SSSD functionality are provided by special + SSSD services that are started and stopped together with SSSD. + The services are managed by a special service frequently called + <quote>monitor</quote>. The <quote>[sssd]</quote> section is used + to configure the monitor as well as some other important options + like the identity domains. + <variablelist> + <title>Section parameters</title> + <varlistentry> + <term>config_file_version (integer)</term> + <listitem> + <para> + Indicates what is the syntax of the config + file. SSSD 0.6.0 and later use version 2. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>services</term> + <listitem> + <para> + Comma separated list of services that are + started when sssd itself starts. + </para> + <para> + Supported services: nss, pam + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>reconnection_retries (integer)</term> + <listitem> + <para> + Number of times services should attempt to + reconnect in the event of a Data Provider + crash or restart before they give up + </para> + <para> + Default: 3 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>domains</term> + <listitem> + <para> + A domain is a database containing user + information. SSSD can use more domains + at the same time, but at least one + must be configured or SSSD won't start. + This parameter described the list of domains + in the order you want them to be queried. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>re_expression (string)</term> + <listitem> + <para> + Regular expression that describes how to parse the string + containing user name and domain into these components. + </para> + <para> + Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> + which translates to "the name is everything up to the + <quote>@</quote> sign, the domain everything after that" + </para> + <para> + PLEASE NOTE: the support for non-unique named + subpatterns is not available on all plattforms + (e.g. RHEL5 and SLES10). Only plattforms with + libpcre version 7 or higher can support non-unique + named subpatterns. + </para> + <para> + PLEASE NOTE ALSO: older version of libpcre only + support the Python syntax (?P<name>) to label + subpatterns. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>full_name_format (string)</term> + <listitem> + <para> + A <citerefentry> + <refentrytitle>printf</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry>-compatible format that describes how to + translate a (name, domain) tuple into a fully qualified + name. + </para> + <para> + Default: <quote>%1$s@%2$s</quote>. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + </refsect2> + + </refsect1> + + <refsect1 id='services-sections'> + <title>SERVICES SECTIONS</title> + <para> + Settings that can be used to configure different services + are described in this section. They should reside in the + [<replaceable>$NAME</replaceable>] section, for example, + for NSS service, the section would be <quote>[nss]</quote> + </para> + + <refsect2 id='general'> + <title>General service configuration options</title> + <para> + These options can be used to configure any service. + </para> + <variablelist> + <varlistentry> + <term>debug_level (integer)</term> + <listitem> + <para> + Sets the debug level for the service. The + value can be in range from 0 (only critical + messages) to 10 (very verbose). + </para> + <para> + Default: 0 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>debug_timestamps (bool)</term> + <listitem> + <para> + Add a timestamp to the debug messages + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>reconnection_retries (integer)</term> + <listitem> + <para> + Number of times services should attempt to + reconnect in the event of a Data Provider + crash or restart before they give up + </para> + <para> + Default: 3 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>command (string)</term> + <listitem> + <para> + By default, the executable + representing this service is called + <command>sssd_${service_name}</command>. + This directive allows to change the executable + name for the service. In the vast majority of + configurations, the default values should suffice. + </para> + <para> + Default: <command>sssd_${service_name}</command> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> + + <refsect2 id='NSS'> + <title>NSS configuration options</title> + <para> + These options can be used to configure the + Name Service Switch (NSS) service. + </para> + <variablelist> + <varlistentry> + <term>enum_cache_timeout (integer)</term> + <listitem> + <para> + How many seconds should nss_sss cache enumerations + (requests for info about all users) + </para> + <para> + Default: 120 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>entry_cache_nowait_percentage (integer)</term> + <listitem> + <para> + The entry cache can be set to automatically update + entries in the background if they are requested + beyond a percentage of the entry_cache_timeout + value for the domain. + </para> + <para> + For example, if the domain's entry_cache_timeout + is set to 30s and entry_cache_nowait_percentage is + set to 50 (percent), entries that come in after 15 + seconds past the last cache update will be + returned immediately, but the SSSD will go and + update the cache on its own, so that future + requests will not need to block waiting for a + cache update. + </para> + <para> + Valid values for this option are 0-99 and + represent a percentage of the entry_cache_timeout + for each domain. For performance reasons, this + percentage will never reduce the nowait timeout to + less than 10 seconds. + (0 disables this feature) + </para> + <para> + Default: 0 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>entry_negative_timeout (integer)</term> + <listitem> + <para> + Specifies for how long nss_sss should cache + negative cache hits (that is, queries for + invalid database entries, like nonexistent ones) + before asking the back end again. + </para> + <para> + Default: 15 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>filter_users, filter_groups (string)</term> + <listitem> + <para> + Exclude certain users from being fetched from the sss + NSS database. This is particulary useful for system + accounts. + </para> + <para> + Default: root + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>filter_users_in_groups (bool)</term> + <listitem> + <para> + If you want filtered user still be group members + set this option to false. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> + <refsect2 id='PAM'> + <title>PAM configuration options</title> + <para> + These options can be used to configure the + Pluggable Authentication Module (PAM) service. + </para> + <variablelist> + <varlistentry> + <term>offline_credentials_expiration (integer)</term> + <listitem> + <para> + If the authentication provider is offline, how + long should we allow cached logins (in days since + the last successful online login). + </para> + <para> + Default: 0 (No limit) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>offline_failed_login_attempts (integer)</term> + <listitem> + <para> + If the authentication provider is offline, how + many failed login attempts are allowed. + </para> + <para> + Default: 0 (No limit) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>offline_failed_login_delay (integer)</term> + <listitem> + <para> + The time in minutes which has to pass after + offline_failed_login_attempts has been reached + before a new login attempt is possible. + </para> + <para> + If set to 0 the user cannot authenticate offline if + offline_failed_login_attempts has been reached. Only + a successful online authentication can enable + enable offline authentication again. + </para> + <para> + Default: 5 + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> + </refsect1> + + <refsect1 id='domain-sections'> + <title>DOMAIN SECTIONS</title> + <para> + These configuration options can be present in a domain + configuration section, that is, in a section called + <quote>[domain/<replaceable>NAME</replaceable>]</quote> + <variablelist> + <varlistentry> + <term>min_id,max_id (integer)</term> + <listitem> + <para> + UID limits for the domain. If a domain contains + entry that is outside these limits, it is ignored + </para> + <para> + Default: 1000 for min_id, 0 (no limit) for max_id + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>timeout (integer)</term> + <listitem> + <para> + Timeout in seconds between heartbeats for this domain. + This is used to ensure that the backend process is + alive and capable of answering requests. + </para> + <para> + Default: 10 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>enumerate (bool)</term> + <listitem> + <para> + Determines if a domain can be enumerated. This + parameter can have one of the following values: + </para> + <para> + TRUE = Users and groups are enumerated + </para> + <para> + FALSE = No enumerations for this domain + </para> + <para> + Default: TRUE + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>entry_cache_timeout (integer)</term> + <listitem> + <para> + How many seconds should nss_sss consider + entries valid before asking the backend again + </para> + <para> + Default: 600 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>cache_credentials (bool)</term> + <listitem> + <para> + Determines if user credentials are also cached + in the local LDB cache + </para> + <para> + Default: FALSE + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>id_provider (string)</term> + <listitem> + <para> + The Data Provider identity backend to use for this + domain. + </para> + <para> + Supported backends: + </para> + <para> + proxy: Support a legacy NSS provider + </para> + <para> + local: SSSD internal local provider + </para> + <para> + ldap: LDAP provider + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>use_fully_qualified_names (bool)</term> + <listitem> + <para> + If set to TRUE, all requests to this domain + must use fully qualified names. For example, + if used in LOCAL domain that contains a "test" + user, <command>getent passwd test</command> + wouldn't find the user while <command>getent + passwd test@LOCAL</command> would. + </para> + <para> + Default: FALSE + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>auth_provider (string)</term> + <listitem> + <para> + The authentication provider used for the domain. + Supported auth providers are: + </para> + <para> + <quote>ldap</quote> for native LDAP authentication. See + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> for more information on configuring LDAP. + </para> + <para> + <quote>krb5</quote> for Kerberos authentication. See + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> for more information on configuring Kerberos. + </para> + <para> + <quote>proxy</quote> for relaying authentication to some other PAM target. + </para> + <para> + <quote>none</quote> disables authentication explicitly. + </para> + <para> + Default: <quote>id_provider</quote> is used if it + is set and can handle authentication requests. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>access_provider (string)</term> + <listitem> + <para> + The access control provider used for the domain. + There are two built-in access providers (in + addition to any included in installed backends) + Internal special providers are: + </para> + <para> + <quote>permit</quote> always allow access. + </para> + <para> + <quote>deny</quote> always deny access. + </para> + <para> + Default: <quote>permit</quote> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>chpass_provider (string)</term> + <listitem> + <para> + The provider which should handle change password + operations for the domain. + Supported change password providers are: + </para> + <para> + <quote>ldap</quote> to change a password stored + in a LDAP server. See + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> for more information on configuring LDAP. + </para> + <para> + <quote>krb5</quote> to change the Kerberos + password. See + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> for more information on configuring Kerberos. + </para> + <para> + <quote>proxy</quote> for relaying password changes + to some other PAM target. + </para> + <para> + <quote>none</quote> disallows password changes explicitly. + </para> + <para> + Default: <quote>auth_provider</quote> is used if it + is set and can handle change password requests. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + + <para> + Options valid for proxy domains. + + <variablelist> + <varlistentry> + <term>proxy_pam_target (string)</term> + <listitem> + <para> + The proxy target PAM proxies to. + </para> + <para> + Default: not set by default, you have to take an + existing pam configuration or create a new one and + add the service name here. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>proxy_lib_name (string)</term> + <listitem> + <para> + The name of the NSS library to use in proxy + domains. The NSS functions searched for in the + library are in the form of + _nss_$(libName)_$(function), for example + _nss_files_getpwent. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + + <refsect2 id='local_domain'> + <title>The local domain section</title> + <para> + This section contains settings for domain that stores users and + groups in SSSD native database, that is, a domain that uses + <replaceable>id_provider=local</replaceable>. + </para> + <variablelist> + <title>Section parameters</title> + <varlistentry> + <term>default_shell (string)</term> + <listitem> + <para> + The default shell for users created + with SSSD userspace tools. + </para> + <para> + Default: <filename>/bin/bash</filename> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>base_directory (string)</term> + <listitem> + <para> + The tools append the login name to + <replaceable>base_directory</replaceable> and + use that as the home directory. + </para> + <para> + Default: <filename>/home</filename> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>create_homedir (bool)</term> + <listitem> + <para> + Indicate if a home directory should be created by default for new users. + Can be overriden on command line. + </para> + <para> + Default: TRUE + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>remove_homedir (bool)</term> + <listitem> + <para> + Indicate if a home directory should be removed by default for deleted users. + Can be overriden on command line. + </para> + <para> + Default: TRUE + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>homedir_umask (integer)</term> + <listitem> + <para> + Used by + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> to specify the default permissions on a newly created + home directory. + </para> + <para> + Default: 077 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>skel_dir (string)</term> + <listitem> + <para> + The skeleton directory, which contains files + and directories to be copied in the user's + home directory, when the home directory is + created by + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + </para> + <para> + Default: <filename>/etc/skel</filename> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>mail_dir (string)</term> + <listitem> + <para> + The mail spool directory. This is needed to + manipulate the mailbox when its corresponding + user account is modified or deleted. + If not specified, a default + value is used. + </para> + <para> + Default: <filename>/var/mail</filename> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> + + </refsect1> + + <refsect1 id='example'> + <title>EXAMPLE</title> + <para> + The following example shows a typical SSSD config. It does + not describe configuration of the domains themselves - refer to + documentation on configuring domains for more details. +<programlisting> +[sssd] +domains = LDAP +services = nss, pam +config_file_version = 2 + +[nss] +filter_groups = root +filter_users = root + +[pam] + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://ldap.example.com +ldap_search_base = dc=example,dc=com + +auth_provider = krb5 +krb5_kdcip = kerberos.example.com +krb5_realm = EXAMPLE.COM +cache_credentials = true + +min_id = 10000 +max_id = 20000 +enumerate = true +</programlisting> + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/sssd_krb5_locator_plugin.8.xml b/src/man/sssd_krb5_locator_plugin.8.xml new file mode 100644 index 00000000..6c60431f --- /dev/null +++ b/src/man/sssd_krb5_locator_plugin.8.xml @@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sssd_krb5_locator_plugin</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + The Kerberos locator plugin + <command>sssd_krb5_locator_plugin</command> is used by the Kerberos + provider of + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + to tell the Kerberos libraries what Realm and which KDC to use. + Typically this is done in + <citerefentry> + <refentrytitle>krb5.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + which is always read by the Kerberos libraries. To simplyfy the + configuration the Realm and the KDC can be defined in + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + as described in + <citerefentry> + <refentrytitle>sssd-krb5.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + </para> + <para> + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + puts the Realm and the name or IP address of the KDC into the + enviroment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. + When <command>sssd_krb5_locator_plugin</command> is called by the + kerberos libraries it reads and evaluates these variable and returns + them to the libraries. + </para> + </refsect1> + + <refsect1 id='notes'> + <title>NOTES</title> + <para> + Not all Kerberos implementations support the use of plugins. If + <command>sssd_krb5_locator_plugin</command> is not available on + your system you have to edit /etc/krb5.conf to reflect your + Kerberos setup. + </para> + <para> + If the enviroment variable SSSD_KRB5_LOCATOR_DEBUG is set to any + value debug messages will be sent to stderr. + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> |