summaryrefslogtreecommitdiff
path: root/src/man
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-02-18 07:49:04 -0500
committerStephen Gallagher <sgallagh@redhat.com>2010-02-18 13:48:45 -0500
commit1c48b5a62f73234ed26bb20f0ab345ab61cda0ab (patch)
tree0b6cddd567a862e1a7b5df23764869782a62ca78 /src/man
parent8c56df3176f528fe0260974b3bf934173c4651ea (diff)
downloadsssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.tar.gz
sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.tar.bz2
sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.zip
Rename server/ directory to src/
Also update BUILD.txt
Diffstat (limited to 'src/man')
-rw-r--r--src/man/include/failover.xml42
-rw-r--r--src/man/include/param_help.xml10
-rw-r--r--src/man/include/upstream.xml4
-rw-r--r--src/man/sss_groupadd.8.xml81
-rw-r--r--src/man/sss_groupdel.8.xml69
-rw-r--r--src/man/sss_groupmod.8.xml95
-rw-r--r--src/man/sss_groupshow.8.xml76
-rw-r--r--src/man/sss_useradd.8.xml191
-rw-r--r--src/man/sss_userdel.8.xml105
-rw-r--r--src/man/sss_usermod.8.xml150
-rw-r--r--src/man/sssd-ipa.5.xml159
-rw-r--r--src/man/sssd-krb5.5.xml250
-rw-r--r--src/man/sssd-ldap.5.xml688
-rw-r--r--src/man/sssd.8.xml148
-rw-r--r--src/man/sssd.conf.5.xml808
-rw-r--r--src/man/sssd_krb5_locator_plugin.8.xml89
16 files changed, 2965 insertions, 0 deletions
diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
new file mode 100644
index 00000000..efe3ee42
--- /dev/null
+++ b/src/man/include/failover.xml
@@ -0,0 +1,42 @@
+<refsect1 id='failover'>
+ <title>FAILOVER</title>
+ <para>
+ The failover feature allows back ends to automatically switch to
+ a different server if the primary server fails.
+ </para>
+ <refsect2 id='failover_syntax'>
+ <title>Failover Syntax</title>
+ <para>
+ The list of servers is given as a comma-separated list; any
+ number of spaces is allowed around the comma. The servers are
+ listed in order of preference. The list can contain any number
+ of servers.
+ </para>
+ </refsect2>
+ <refsect2 id='failover_mechanism'>
+ <title>The Failover Mechanism</title>
+ <para>
+ The failover mechanism distinguishes between a machine and a
+ service. The back end first tries to resolve the hostname of a
+ given machine; if this resolution attempt fails, the machine is
+ considered offline. No further attempts are made to connect
+ to this machine for any other service. If the resolution
+ attempt succeeds, the back end tries to connect to a service
+ on this machine. If the service connection attempt fails,
+ then only this particular service is considered offline and
+ the back end automatically switches over to the next service.
+ The machine is still considered online and might still be tried
+ for another service.
+ </para>
+ <para>
+ Further connection attempts are made to machines or services
+ marked as offline after a specified period of time; this is
+ currently hard coded to 30 seconds.
+ </para>
+ <para>
+ If there are no more machines to try, the back end as a whole
+ switches to offline mode, and then attempts to reconnect
+ every 30 seconds.
+ </para>
+ </refsect2>
+</refsect1>
diff --git a/src/man/include/param_help.xml b/src/man/include/param_help.xml
new file mode 100644
index 00000000..a2478bf2
--- /dev/null
+++ b/src/man/include/param_help.xml
@@ -0,0 +1,10 @@
+<varlistentry>
+ <term>
+ <option>-h</option>,<option>--help</option>
+ </term>
+ <listitem>
+ <para>
+ Display help message and exit.
+ </para>
+ </listitem>
+</varlistentry>
diff --git a/src/man/include/upstream.xml b/src/man/include/upstream.xml
new file mode 100644
index 00000000..b6f633cc
--- /dev/null
+++ b/src/man/include/upstream.xml
@@ -0,0 +1,4 @@
+<refentryinfo>
+ <productname>SSSD</productname>
+ <orgname>The SSSD upstream - http://fedorahosted.org/sssd</orgname>
+</refentryinfo>
diff --git a/src/man/sss_groupadd.8.xml b/src/man/sss_groupadd.8.xml
new file mode 100644
index 00000000..15b7ea5a
--- /dev/null
+++ b/src/man/sss_groupadd.8.xml
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sss_groupadd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sss_groupadd</refname>
+ <refpurpose>create a new group</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sss_groupadd</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'><replaceable>GROUP</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>sss_groupadd</command> creates a new group. These groups are compatible
+ with POSIX groups, with the additional feature that they can contain other groups
+ as members.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-g</option>,<option>--gid</option>
+ <replaceable>GID</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Set the GID of the group to the value of <replaceable>GID</replaceable>.
+ If not given, it is chosen automatically.
+ </para>
+ </listitem>
+ </varlistentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sss_groupdel.8.xml b/src/man/sss_groupdel.8.xml
new file mode 100644
index 00000000..22f4fca0
--- /dev/null
+++ b/src/man/sss_groupdel.8.xml
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sss_groupdel</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sss_groupdel</refname>
+ <refpurpose>create a new group</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sss_groupdel</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'><replaceable>GROUP</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>sss_groupdel</command> deletes a group
+ identified by its name <replaceable>GROUP</replaceable>
+ from the system.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sss_groupmod.8.xml b/src/man/sss_groupmod.8.xml
new file mode 100644
index 00000000..b2226e2e
--- /dev/null
+++ b/src/man/sss_groupmod.8.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sss_groupmod</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sss_groupmod</refname>
+ <refpurpose>modify a group</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sss_groupmod</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'><replaceable>GROUP</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>sss_groupmod</command> modifies the
+ group to reflect the changes that are specified on
+ the command line.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-a</option>,<option>--append-group</option>
+ <replaceable>GROUPS</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Append this group to groups specified by the
+ <replaceable>GROUPS</replaceable> parameter.
+ The <replaceable>GROUPS</replaceable> parameter
+ is a comma separated list of group names.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-r</option>,<option>--remove-group</option>
+ <replaceable>GROUPS</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Remove this group from groups specified by the
+ <replaceable>GROUPS</replaceable> parameter.
+ </para>
+ </listitem>
+ </varlistentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sss_groupshow.8.xml b/src/man/sss_groupshow.8.xml
new file mode 100644
index 00000000..13e2dfcb
--- /dev/null
+++ b/src/man/sss_groupshow.8.xml
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sss_groupshow</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sss_groupshow</refname>
+ <refpurpose>print properties of a group</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sss_groupshow</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'><replaceable>GROUP</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>sss_groupshow</command> displays information about a group
+ identified by its name <replaceable>GROUP</replaceable>. The information
+ includes the group ID number, members of the group and the parent group.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-R</option>,<option>--recursive</option>
+ </term>
+ <listitem>
+ <para>
+ Also print indirect group members in a tree-like hierarchy.
+ </para>
+ </listitem>
+ </varlistentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sss_useradd.8.xml b/src/man/sss_useradd.8.xml
new file mode 100644
index 00000000..7620ffda
--- /dev/null
+++ b/src/man/sss_useradd.8.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sss_useradd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sss_useradd</refname>
+ <refpurpose>create a new user</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sss_useradd</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'><replaceable>LOGIN</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>sss_useradd</command> creates a new user account using
+ the values specified on the command line plus the default values from
+ the system.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-u</option>,<option>--uid</option>
+ <replaceable>UID</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Set the UID of the user to the value of <replaceable>UID</replaceable>.
+ If not given, it is chosen automatically.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-g</option>,<option>--gid</option>
+ <replaceable>GID</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Set the GID or group membership of the user to the value
+ of <replaceable>GID</replaceable>. If not given, it is
+ chosen automatically.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-c</option>,<option>--gecos</option>
+ <replaceable>COMMENT</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Any text string describing the user. Often used as
+ the field for the user's full name.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-h</option>,<option>--home</option>
+ <replaceable>HOME_DIR</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The home directory of the user account.
+ The default is to append the <replaceable>LOGIN</replaceable> name
+ to <filename>/home</filename> and use that as the home directory.
+ The base that is prepended before <replaceable>LOGIN</replaceable> is tunable
+ with <quote>user_defaults/baseDirectory</quote> setting in sssd.conf.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-s</option>,<option>--shell</option>
+ <replaceable>SHELL</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The user's login shell. The default is currently <filename>/bin/bash</filename>.
+ The default can be changed with
+ <quote>user_defaults/defaultShell</quote> setting
+ in sssd.conf.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-G</option>,<option>--groups</option>
+ <replaceable>GROUPS</replaceable>
+ </term>
+ <listitem>
+ <para>
+ A list of existing groups this user is also a member of.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-m</option>,<option>--create-home</option>
+ </term>
+ <listitem>
+ <para>
+ Create the user's home directory if it does not
+ exist. The files and directories contained in the
+ skeleton directory (which can be defined with the
+ -k option or in the config file) will be copied
+ to the home directory.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-M</option>,<option>--no-create-home</option>
+ </term>
+ <listitem>
+ <para>
+ Do not create the user's home directory. Overrides
+ configuration settings.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-k</option>,<option>--skel</option>
+ <replaceable>SKELDIR</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The skeleton directory, which contains files
+ and directories to be copied in the user's home
+ directory, when the home directory is
+ created by <command>sss_useradd</command>.
+ </para>
+ <para>
+ This option is only valid if the <option>-m</option>
+ (or <option>--create-home</option>) option is
+ specified, or creation of home directories is set to TRUE
+ in the configuration.
+ </para>
+ </listitem>
+ </varlistentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sss_userdel.8.xml b/src/man/sss_userdel.8.xml
new file mode 100644
index 00000000..0c495297
--- /dev/null
+++ b/src/man/sss_userdel.8.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sss_userdel</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sss_userdel</refname>
+ <refpurpose>delete a user account</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sss_userdel</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'><replaceable>LOGIN</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>sss_userdel</command> deletes a user
+ identified by login name <replaceable>LOGIN</replaceable>
+ from the system.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ <varlistentry>
+ <term>
+ <option>-r</option>,<option>--remove</option>
+ </term>
+ <listitem>
+ <para>
+ Files in the user's home directory will be
+ removed along with the home directory itself and
+ the user's mail spool. Overrides the configuration.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-R</option>,<option>--no-remove</option>
+ </term>
+ <listitem>
+ <para>
+ Files in the user's home directory will NOT be
+ removed along with the home directory itself and
+ the user's mail spool. Overrides the configuration.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-f</option>,<option>--force</option>
+ </term>
+ <listitem>
+ <para>
+ This option forces <command>sss_userdel</command>
+ to remove the user's home directory and mail spool,
+ even if they are not owned by the specified user.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sss_usermod.8.xml b/src/man/sss_usermod.8.xml
new file mode 100644
index 00000000..b94fc738
--- /dev/null
+++ b/src/man/sss_usermod.8.xml
@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sss_usermod</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sss_usermod</refname>
+ <refpurpose>modify a user account</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sss_usermod</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'><replaceable>LOGIN</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>sss_usermod</command> modifies the
+ account specified by <replaceable>LOGIN</replaceable>
+ to reflect the changes that are specified on the command line.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-c</option>,<option>--gecos</option>
+ <replaceable>COMMENT</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Any text string describing the user. Often used as
+ the field for the user's full name.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-h</option>,<option>--home</option>
+ <replaceable>HOME_DIR</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The home directory of the user account.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-s</option>,<option>--shell</option>
+ <replaceable>SHELL</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The user's login shell.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-a</option>,<option>--append-group</option>
+ <replaceable>GROUPS</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Append this user to groups specified by the
+ <replaceable>GROUPS</replaceable> parameter.
+ The <replaceable>GROUPS</replaceable> parameter
+ is a comma separated list of group names.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-r</option>,<option>--remove-group</option>
+ <replaceable>GROUPS</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Remove this user from groups specified by the
+ <replaceable>GROUPS</replaceable> parameter.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-l</option>,<option>--lock</option>
+ </term>
+ <listitem>
+ <para>
+ Lock the user account. The user won't be able
+ to log in.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-u</option>,<option>--unlock</option>
+ </term>
+ <listitem>
+ <para>
+ Unlock the user account.
+ </para>
+ </listitem>
+ </varlistentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
new file mode 100644
index 00000000..d1ba1c52
--- /dev/null
+++ b/src/man/sssd-ipa.5.xml
@@ -0,0 +1,159 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd-ipa</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd-ipa</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ This manual page describes the configuration of the IPA provider
+ for
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>.
+ For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page.
+ </para>
+ <para>
+ The IPA provider is a back end used to connect to an IPA server.
+ (Refer to the freeipa.org web site for information about IPA servers.)
+ This provider requires that the machine be joined to the IPA domain;
+ configuration is almost entirely self-discovered and obtained
+ directly from the server.
+ </para>
+ <para>
+ The IPA provider accepts the same options used by the
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> identity provider and the
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> authentication provider.
+ However, it is neither necessary nor recommended to set these options.
+ </para>
+ </refsect1>
+
+ <refsect1 id='file-format'>
+ <title>CONFIGURATION OPTIONS</title>
+ <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page for details on the configuration of an SSSD domain.
+ <variablelist>
+ <varlistentry>
+ <term>ipa_domain (string)</term>
+ <listitem>
+ <para>
+ Specifies the name of the IPA domain.
+ This is optional. If not provided, the configuration
+ domain name is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ipa_server (string)</term>
+ <listitem>
+ <para>
+ The list of IP addresses or hostnames of the
+ IPA servers to which SSSD should connect in
+ the order of preference. For more information
+ on failover and server redundancy, see the
+ <quote>FAILOVER</quote> section.
+ This is optional if autodiscovery is enabled.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ipa_hostname (string)</term>
+ <listitem>
+ <para>
+ Optional. May be set on machines where the
+ hostname(5) does not reflect the fully qualified
+ name used in the IPA domain to identify this host.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_validate (boolean)</term>
+ <listitem>
+ <para>
+ Verify with the help of krb5_keytab that the TGT
+ obtained has not been spoofed.
+ </para>
+ <para>
+ Default: true
+ </para>
+ <para>
+ Note that this default differs from the
+ traditional Kerberos provider back end.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ The following example assumes that SSSD is correctly
+ configured and example.com is one of the domains in the
+ <replaceable>[sssd]</replaceable> section. This examples shows only
+ the ipa provider-specific options.
+ </para>
+ <para>
+<programlisting>
+ [domain/example.com]
+ id_provider = ipa
+ ipa_server = ipaserver.example.com
+ ipa_hostname = myhost.example.com
+</programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
new file mode 100644
index 00000000..32b6c293
--- /dev/null
+++ b/src/man/sssd-krb5.5.xml
@@ -0,0 +1,250 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd-krb5</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd-krb5</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ This manual page describes the configuration of the Kerberos
+ 5 authentication backend for
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>.
+ For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page
+ </para>
+ <para>
+ The Kerberos 5 authentication backend does not contain an identity
+ provider and must be paired with one in order to function properly (for
+ example, id_provider = ldap). Some information required by the Kerberos
+ 5 authentication backend must be provided by the identity provider, such
+ as the user's Kerberos Principal Name (UPN). The configuration of the
+ identity provider should have an entry to specify the UPN. Please refer
+ to the man page for the applicable identity provider for details on how
+ to configure this.
+ </para>
+ <para>
+ In the case where the UPN is not available in the identity backend
+ <command>sssd</command> will construct a UPN using the format
+ <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>.
+ </para>
+
+ </refsect1>
+
+ <refsect1 id='file-format'>
+ <title>CONFIGURATION OPTIONS</title>
+ <para>
+ If the auth-module krb5 is used in a SSSD domain, the following
+ options must be used. See the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>
+ for details on the configuration of a SSSD domain.
+ <variablelist>
+ <varlistentry>
+ <term>krb5_kdcip (string)</term>
+ <listitem>
+ <para>
+ Specifies the list of IP addresses or hostnames
+ of the Kerberos servers to which SSSD should
+ connect in the order of preference. For more
+ information on failover and server redundancy,
+ see the <quote>FAILOVER</quote> section.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_realm (string)</term>
+ <listitem>
+ <para>
+ The name of the Kerberos realm.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_changepw_principal (string)</term>
+ <listitem>
+ <para>
+ The priciple of the change password service.
+ If only the 'identifier/instance' part of the
+ principal are given the realm part is added
+ automatically.
+ </para>
+ <para>
+ Default: kadmin/changepw
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_ccachedir (string)</term>
+ <listitem>
+ <para>
+ Directory to store credential caches.
+ </para>
+ <para>
+ Default: /tmp
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_ccname_template (string)</term>
+ <listitem>
+ <para>
+ Location of the user's credential cache. Currently
+ only file based credential caches are supported. In
+ the template the following sequences are
+ substituted:
+ <variablelist>
+ <varlistentry>
+ <term>%u</term>
+ <listitem><para>login name</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%U</term>
+ <listitem><para>login UID</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%p</term>
+ <listitem><para>principal name</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%r</term>
+ <listitem><para>realm name</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%h</term>
+ <listitem><para>home directory</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%d</term>
+ <listitem><para>value of krb5ccache_dir
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%P</term>
+ <listitem><para>the process ID of the sssd
+ client</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%%</term>
+ <listitem><para>a literal '%'</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ If the template ends with 'XXXXXX' mkstemp(3) is
+ used to create a unique filename in a safe way.
+ </para>
+ <para>
+ Default: FILE:%d/krb5cc_%U_XXXXXX
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_auth_timeout (integer)</term>
+ <listitem>
+ <para>
+ Timeout in seconds after an online authentication or
+ change password request is aborted. If possible the
+ authentication request is continued offline.
+ </para>
+ <para>
+ Default: 15
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_validate (boolean)</term>
+ <listitem>
+ <para>
+ Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
+ </para>
+ <para>
+ Default: false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_keytab (string)</term>
+ <listitem>
+ <para>
+ The location of the keytab to use when validating
+ credentials obtained from KDCs.
+ </para>
+ <para>
+ Default: /etc/krb5.keytab
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ The following example assumes that SSSD is correctly
+ configured and FOO is one of the domains in the
+ <replaceable>[sssd]</replaceable> section. This example shows
+ only configuration of Kerberos authentication, it does not include
+ any identity provider.
+ </para>
+ <para>
+<programlisting>
+ [domain/FOO]
+ auth_provider = krb5
+ krb5_kdcip = 192.168.1.1
+ krb5_realm = EXAMPLE.COM
+</programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
new file mode 100644
index 00000000..b79cbbc9
--- /dev/null
+++ b/src/man/sssd-ldap.5.xml
@@ -0,0 +1,688 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd-ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd-ldap</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ This manual page describes the configuration of LDAP
+ domains for
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>.
+ Refer to the <quote>FILE FORMAT</quote> section of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page for detailed syntax information.</para>
+ <para>
+ You can configure SSSD to use more than one LDAP domain.
+ </para>
+ <para>
+ If you want to authenticate against an LDAP server then TLS/SSL is
+ required. <command>sssd</command> <emphasis>does not</emphasis>
+ support authentication over an unencrypted channel. If the LDAP
+ server is used only as an identify provider, an encrypted channel
+ is not needed.
+ </para>
+ </refsect1>
+
+ <refsect1 id='file-format'>
+ <title>CONFIGURATION OPTIONS</title>
+ <para>
+ All of the common configuration options that apply to SSSD domains also apply
+ to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page for full details.
+
+ <variablelist>
+ <varlistentry>
+ <term>ldap_uri (string)</term>
+ <listitem>
+ <para>
+ Specifies the list of URIs of the LDAP servers to which
+ SSSD should connect in the order of preference. Refer to the
+ <quote>FAILOVER</quote> section for more information on failover and server redundancy.
+ </para>
+ <para>
+ Default: ldap://localhost
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_search_base (string)</term>
+ <listitem>
+ <para>
+ The default base DN to use for
+ performing LDAP user operations.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_schema (string)</term>
+ <listitem>
+ <para>
+ Specifies the Schema Type in use on the target LDAP
+ server.
+ Depending on the selected schema, the default
+ attribute names retrieved from the servers may vary.
+ The way that some attributes are handled may also differ.
+
+ Two schema types are currently supported:
+ rfc2307
+ rfc2307bis
+
+ The main difference between these two schema types is
+ how group memberships are recorded in the server.
+ With rfc2307, group members are listed by name in the
+ <emphasis>memberUid</emphasis> attribute.
+ With rfc2307bis, group members are listed by DN and
+ stored in the <emphasis>member</emphasis> attribute.
+
+ </para>
+ <para>
+ Default: rfc2307
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_default_bind_dn (string)</term>
+ <listitem>
+ <para>
+ The default bind DN to use for
+ performing LDAP operations.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_default_authtok_type (string)</term>
+ <listitem>
+ <para>
+ The type of the authentication token of the
+ default bind DN. The only currently supported value is "password".
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_default_authtok (string)</term>
+ <listitem>
+ <para>
+ The authentication token of the default bind DN.
+ Only clear text passwords are currently supported.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_search_base (string)</term>
+ <listitem>
+ <para>
+ An optional base DN to restrict user searches
+ to a specific subtree.
+ </para>
+ <para>
+ Default: the value of
+ <emphasis>ldap_search_base</emphasis>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_object_class (string)</term>
+ <listitem>
+ <para>
+ The object class of a user entry in LDAP.
+ </para>
+ <para>
+ Default: posixAccount
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_name (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that corresponds to the
+ user's login name.
+ </para>
+ <para>
+ Default: uid
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_uid_number (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that corresponds to the
+ user's id.
+ </para>
+ <para>
+ Default: uidNumber
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_gid_number (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that corresponds to the
+ user's primary group id.
+ </para>
+ <para>
+ Default: gidNumber
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_gecos (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that corresponds to the
+ user's gecos field.
+ </para>
+ <para>
+ Default: gecos
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_home_directory (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the name of the user's
+ home directory.
+ </para>
+ <para>
+ Default: homeDirectory
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_shell (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the path to the
+ user's default shell.
+ </para>
+ <para>
+ Default: loginShell
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_uuid (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the UUID/GUID of
+ an LDAP user object.
+ </para>
+ <para>
+ Default: nsUniqueId
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_principal (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the user's Kerberos
+ User Principle Name (UPN).
+ </para>
+ <para>
+ Default: krbPrincipalName
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_force_upper_case_realm (boolean)</term>
+ <listitem>
+ <para>
+ Some directory servers, for example Active Directory,
+ might deliver the realm part of the UPN in lower case,
+ which might cause the authentication to fail. Set this
+ option to a non-zero value if you want to use an
+ upper-case realm.
+ </para>
+ <para>
+ Default: false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_fullname (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that corresponds to the
+ user's full name.
+ </para>
+ <para>
+ Default: cn
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_member_of (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that lists the user's
+ group memberships.
+ </para>
+ <para>
+ Default: memberOf
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_group_search_base (string)</term>
+ <listitem>
+ <para>
+ An optional base DN to restrict group searches
+ to a specific subtree.
+ </para>
+ <para>
+ Default: the value of
+ <emphasis>ldap_search_base</emphasis>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_group_object_class (string)</term>
+ <listitem>
+ <para>
+ The object class of a group entry in LDAP.
+ </para>
+ <para>
+ Default: posixGroup
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_group_name (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that corresponds to
+ the group name.
+ </para>
+ <para>
+ Default: cn
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_group_gid_number (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that corresponds to the
+ group's id.
+ </para>
+ <para>
+ Default: gidNumber
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_group_member (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the names of
+ the group's members.
+ </para>
+ <para>
+ Default: memberuid (rfc2307) / member (rfc2307bis)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_group_uuid (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the UUID/GUID of
+ an LDAP group object.
+ </para>
+ <para>
+ Default: nsUniqueId
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_network_timeout (integer)</term>
+ <listitem>
+ <para>
+ Specifies the timeout (in seconds) after which
+ the
+ <citerefentry>
+ <refentrytitle>poll</refentrytitle>
+ <manvolnum>2</manvolnum>
+ </citerefentry>/<citerefentry>
+ <refentrytitle>select</refentrytitle>
+ <manvolnum>2</manvolnum>
+ </citerefentry>
+ following a
+ <citerefentry>
+ <refentrytitle>connect</refentrytitle>
+ <manvolnum>2</manvolnum>
+ </citerefentry>
+ returns in case of no activity.
+ </para>
+ <para>
+ Default: 5
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_opt_timeout (integer)</term>
+ <listitem>
+ <para>
+ Specifies a timeout (in seconds) after which
+ calls to synchronous LDAP APIs will abort if no
+ response is received. Also controls the timeout
+ when communicating with the KDC in case of SASL bind.
+ </para>
+ <para>
+ Default: 5
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_tls_reqcert (string)</term>
+ <listitem>
+ <para>
+ Specifies what checks to perform on server
+ certificates in a TLS session, if any. It
+ can be specified as one of the following
+ values:
+ </para>
+ <para>
+ <emphasis>never</emphasis> = The client will
+ not request or check any server certificate.
+ </para>
+ <para>
+ <emphasis>allow</emphasis> = The server
+ certificate is requested. If no certificate is
+ provided, the session proceeds normally. If a
+ bad certificate is provided, it will be ignored
+ and the session proceeds normally.
+ </para>
+ <para>
+ <emphasis>try</emphasis> = The server certificate
+ is requested. If no certificate is provided, the
+ session proceeds normally. If a bad certificate
+ is provided, the session is immediately terminated.
+ </para>
+ <para>
+ <emphasis>demand</emphasis> = The server
+ certificate is requested. If no certificate
+ is provided, or a bad certificate is provided,
+ the session is immediately terminated.
+ </para>
+ <para>
+ <emphasis>hard</emphasis> = Same as
+ <quote>demand</quote>
+ </para>
+ <para>
+ Default: hard
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_tls_cacert (string)</term>
+ <listitem>
+ <para>
+ Specifies the file that contains certificates for
+ all of the Certificate Authorities that
+ <command>sssd</command> will recognize.
+ </para>
+ <para>
+ Default: use OpenLDAP defaults, typically in
+ <filename>/etc/openldap/ldap.conf</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_tls_cacertdir (string)</term>
+ <listitem>
+ <para>
+ Specifies the path of a directory that contains
+ Certificate Authority certificates in separate
+ individual files. Typically the file names need to
+ be the hash of the certificate followed by '.0'.
+ If available, <command>cacertdir_rehash</command>
+ can be used to create the correct names.
+ </para>
+ <para>
+ Default: use OpenLDAP defaults, typically in
+ <filename>/etc/openldap/ldap.conf</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_id_use_start_tls (boolean)</term>
+ <listitem>
+ <para>
+ Specifies that the id_provider connection must also
+ use <systemitem class="protocol">tls</systemitem> to protect the channel.
+ </para>
+ <para>
+ Default: false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_sasl_mech (string)</term>
+ <listitem>
+ <para>
+ Specify the SASL mechanism to use.
+ Currently only GSSAPI is tested and supported.
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_sasl_authid (string)</term>
+ <listitem>
+ <para>
+ Specify the SASL authorization id to use.
+ When GSSAPI is used, this represents the Kerberos
+ principal used for authentication to the directory.
+ </para>
+ <para>
+ Default: host/machine.fqdn@REALM
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_krb5_keytab (string)</term>
+ <listitem>
+ <para>
+ Specify the keytab to use when using SASL/GSSAPI.
+ </para>
+ <para>
+ Default: System keytab, normally <filename>/etc/krb5.keytab</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_krb5_init_creds (boolean)</term>
+ <listitem>
+ <para>
+ Specifies that the id_provider should init
+ Kerberos credentials (TGT).
+ This action is performed only if SASL is used and
+ the mechanism selected is GSSAPI.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_realm (string)</term>
+ <listitem>
+ <para>
+ Specify the Kerberos REALM (for SASL/GSSAPI auth).
+ </para>
+ <para>
+ Default: System defaults, see <filename>/etc/krb5.conf</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_pwd_policy (string)</term>
+ <listitem>
+ <para>
+ Select the policy to evaluate the password
+ expiration on the client side. The following values
+ are allowed:
+ </para>
+ <para>
+ <emphasis>none</emphasis> - No evaluation on the
+ client side. This option cannot disable server-side
+ password policies.
+ </para>
+ <para>
+ <emphasis>shadow</emphasis> - Use
+ <citerefentry><refentrytitle>shadow</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry> style
+ attributes to evaluate if the password has expired.
+ Note that the current version of sssd cannot
+ update this attribute during a password change.
+ </para>
+ <para>
+ <emphasis>mit_kerberos</emphasis> - Use the attributes
+ used by MIT Kerberos to determine if the password has
+ expired. Use chpass_provider=krb5 to update these
+ attributes when the password is changed.
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_referrals (boolean)</term>
+ <listitem>
+ <para>
+ Specifies whether automatic referral chasing should
+ be enabled.
+ </para>
+ <para>
+ Please note that sssd only supports referral chasing
+ when it is compiled with OpenLDAP version 2.4.13 or
+ higher.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ The following example assumes that SSSD is correctly
+ configured and LDAP is set to one of the domains in the
+ <replaceable>[domains]</replaceable> section.
+ </para>
+ <para>
+<programlisting>
+ [domain/LDAP]
+ id_provider = ldap
+ auth_provider = ldap
+ ldap_uri = ldap://ldap.mydomain.org
+ ldap_search_base = dc=mydomain,dc=org
+ ldap_tls_reqcert = demand
+ cache_credentials = true
+ enumerate = true
+</programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='notes'>
+ <title>NOTES</title>
+ <para>
+ The descriptions of some of the configuration options in this manual
+ page are based on the <citerefentry>
+ <refentrytitle>ldap.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page from the OpenLDAP 2.4 distribution.
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
new file mode 100644
index 00000000..5e45a336
--- /dev/null
+++ b/src/man/sssd.8.xml
@@ -0,0 +1,148 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd</refname>
+ <refpurpose>System Security Services Daemon</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sssd</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>SSSD</command> provides a set of daemons to manage access to remote
+ directories and authentication mechanisms. It provides an NSS and
+ PAM interface toward the system and a pluggable backend system to
+ connect to multiple different account sources as well as D-Bus
+ interface. It is also the basis to provide client auditing and
+ policy services for projects like FreeIPA. It provides a more robust database
+ to store local users as well as extended user data.
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-d</option>,<option>--debug-level</option>
+ <replaceable>LEVEL</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Debug level to run the daemon with. 0 is the default as well
+ as the lowest allowed value, 10 is the most verbose mode. This setting
+ overrides the settings from config file. This parameter implies <option>-i</option>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>debug_timestamps (bool)</term>
+ <listitem>
+ <para>
+ Add a timestamp to the debug messages
+ </para>
+ <para>
+ Default: false
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-f</option>,<option>--debug-to-files</option>
+ </term>
+ <listitem>
+ <para>
+ Send the debug output to files instead of stderr. By default, the
+ log files are stored in <filename>/var/log/sssd</filename> and
+ there are separate log files for every SSSD service and domain.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-D</option>,<option>--daemon</option>
+ </term>
+ <listitem>
+ <para>
+ Become a daemon after starting up.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-i</option>,<option>--interactive</option>
+ </term>
+ <listitem>
+ <para>
+ Run in the foreground, don't become a daemon.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-c</option>,<option>--config</option>
+ </term>
+ <listitem>
+ <para>
+ Specify a non-default config file. The default is
+ <filename>/etc/sssd/sssd.conf</filename>. For reference
+ on the config file syntax and options, consult the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ manual page.
+ </para>
+ </listitem>
+ </varlistentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
new file mode 100644
index 00000000..7b240c8f
--- /dev/null
+++ b/src/man/sssd.conf.5.xml
@@ -0,0 +1,808 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd.conf</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='file-format'>
+ <title>FILE FORMAT</title>
+
+ <para>
+ The file has an ini-style syntax and consists of sections and
+ parameters. A section begins with the name of the section in
+ square brackets and continues until the next section begins. An
+ example of section with single and multi-valued parameters:
+ <programlisting>
+ <replaceable>[section]</replaceable>
+ <replaceable>key</replaceable> = <replaceable>value</replaceable>
+ <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>
+ </programlisting>
+ </para>
+
+ <para>
+ The data types used are string (no quotes needed), integer
+ and bool (with values of <quote>TRUE/FALSE</quote>).
+ </para>
+
+ <para>
+ A line comment starts with a hash sign (<quote>#</quote>) or a
+ semicolon (<quote>;</quote>)
+ </para>
+
+ <para>
+ All sections can have an optional
+ <replaceable>description</replaceable> parameter. Its function
+ is only as a label for the section.
+ </para>
+
+ <para>
+ <filename>sssd.conf</filename> must be a regular file, owned by
+ root and only root may read from or write to the file.
+ </para>
+ </refsect1>
+
+ <refsect1 id='special-sections'>
+ <title>SPECIAL SECTIONS</title>
+
+ <refsect2 id='services'>
+ <title>The [sssd] section</title>
+ <para>
+ Individual pieces of SSSD functionality are provided by special
+ SSSD services that are started and stopped together with SSSD.
+ The services are managed by a special service frequently called
+ <quote>monitor</quote>. The <quote>[sssd]</quote> section is used
+ to configure the monitor as well as some other important options
+ like the identity domains.
+ <variablelist>
+ <title>Section parameters</title>
+ <varlistentry>
+ <term>config_file_version (integer)</term>
+ <listitem>
+ <para>
+ Indicates what is the syntax of the config
+ file. SSSD 0.6.0 and later use version 2.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>services</term>
+ <listitem>
+ <para>
+ Comma separated list of services that are
+ started when sssd itself starts.
+ </para>
+ <para>
+ Supported services: nss, pam
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>reconnection_retries (integer)</term>
+ <listitem>
+ <para>
+ Number of times services should attempt to
+ reconnect in the event of a Data Provider
+ crash or restart before they give up
+ </para>
+ <para>
+ Default: 3
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>domains</term>
+ <listitem>
+ <para>
+ A domain is a database containing user
+ information. SSSD can use more domains
+ at the same time, but at least one
+ must be configured or SSSD won't start.
+ This parameter described the list of domains
+ in the order you want them to be queried.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>re_expression (string)</term>
+ <listitem>
+ <para>
+ Regular expression that describes how to parse the string
+ containing user name and domain into these components.
+ </para>
+ <para>
+ Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote>
+ which translates to "the name is everything up to the
+ <quote>@</quote> sign, the domain everything after that"
+ </para>
+ <para>
+ PLEASE NOTE: the support for non-unique named
+ subpatterns is not available on all plattforms
+ (e.g. RHEL5 and SLES10). Only plattforms with
+ libpcre version 7 or higher can support non-unique
+ named subpatterns.
+ </para>
+ <para>
+ PLEASE NOTE ALSO: older version of libpcre only
+ support the Python syntax (?P&lt;name&gt;) to label
+ subpatterns.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>full_name_format (string)</term>
+ <listitem>
+ <para>
+ A <citerefentry>
+ <refentrytitle>printf</refentrytitle>
+ <manvolnum>3</manvolnum>
+ </citerefentry>-compatible format that describes how to
+ translate a (name, domain) tuple into a fully qualified
+ name.
+ </para>
+ <para>
+ Default: <quote>%1$s@%2$s</quote>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsect2>
+
+ </refsect1>
+
+ <refsect1 id='services-sections'>
+ <title>SERVICES SECTIONS</title>
+ <para>
+ Settings that can be used to configure different services
+ are described in this section. They should reside in the
+ [<replaceable>$NAME</replaceable>] section, for example,
+ for NSS service, the section would be <quote>[nss]</quote>
+ </para>
+
+ <refsect2 id='general'>
+ <title>General service configuration options</title>
+ <para>
+ These options can be used to configure any service.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>debug_level (integer)</term>
+ <listitem>
+ <para>
+ Sets the debug level for the service. The
+ value can be in range from 0 (only critical
+ messages) to 10 (very verbose).
+ </para>
+ <para>
+ Default: 0
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>debug_timestamps (bool)</term>
+ <listitem>
+ <para>
+ Add a timestamp to the debug messages
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>reconnection_retries (integer)</term>
+ <listitem>
+ <para>
+ Number of times services should attempt to
+ reconnect in the event of a Data Provider
+ crash or restart before they give up
+ </para>
+ <para>
+ Default: 3
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>command (string)</term>
+ <listitem>
+ <para>
+ By default, the executable
+ representing this service is called
+ <command>sssd_${service_name}</command>.
+ This directive allows to change the executable
+ name for the service. In the vast majority of
+ configurations, the default values should suffice.
+ </para>
+ <para>
+ Default: <command>sssd_${service_name}</command>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2 id='NSS'>
+ <title>NSS configuration options</title>
+ <para>
+ These options can be used to configure the
+ Name Service Switch (NSS) service.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>enum_cache_timeout (integer)</term>
+ <listitem>
+ <para>
+ How many seconds should nss_sss cache enumerations
+ (requests for info about all users)
+ </para>
+ <para>
+ Default: 120
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>entry_cache_nowait_percentage (integer)</term>
+ <listitem>
+ <para>
+ The entry cache can be set to automatically update
+ entries in the background if they are requested
+ beyond a percentage of the entry_cache_timeout
+ value for the domain.
+ </para>
+ <para>
+ For example, if the domain's entry_cache_timeout
+ is set to 30s and entry_cache_nowait_percentage is
+ set to 50 (percent), entries that come in after 15
+ seconds past the last cache update will be
+ returned immediately, but the SSSD will go and
+ update the cache on its own, so that future
+ requests will not need to block waiting for a
+ cache update.
+ </para>
+ <para>
+ Valid values for this option are 0-99 and
+ represent a percentage of the entry_cache_timeout
+ for each domain. For performance reasons, this
+ percentage will never reduce the nowait timeout to
+ less than 10 seconds.
+ (0 disables this feature)
+ </para>
+ <para>
+ Default: 0
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>entry_negative_timeout (integer)</term>
+ <listitem>
+ <para>
+ Specifies for how long nss_sss should cache
+ negative cache hits (that is, queries for
+ invalid database entries, like nonexistent ones)
+ before asking the back end again.
+ </para>
+ <para>
+ Default: 15
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>filter_users, filter_groups (string)</term>
+ <listitem>
+ <para>
+ Exclude certain users from being fetched from the sss
+ NSS database. This is particulary useful for system
+ accounts.
+ </para>
+ <para>
+ Default: root
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>filter_users_in_groups (bool)</term>
+ <listitem>
+ <para>
+ If you want filtered user still be group members
+ set this option to false.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+ <refsect2 id='PAM'>
+ <title>PAM configuration options</title>
+ <para>
+ These options can be used to configure the
+ Pluggable Authentication Module (PAM) service.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>offline_credentials_expiration (integer)</term>
+ <listitem>
+ <para>
+ If the authentication provider is offline, how
+ long should we allow cached logins (in days since
+ the last successful online login).
+ </para>
+ <para>
+ Default: 0 (No limit)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>offline_failed_login_attempts (integer)</term>
+ <listitem>
+ <para>
+ If the authentication provider is offline, how
+ many failed login attempts are allowed.
+ </para>
+ <para>
+ Default: 0 (No limit)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>offline_failed_login_delay (integer)</term>
+ <listitem>
+ <para>
+ The time in minutes which has to pass after
+ offline_failed_login_attempts has been reached
+ before a new login attempt is possible.
+ </para>
+ <para>
+ If set to 0 the user cannot authenticate offline if
+ offline_failed_login_attempts has been reached. Only
+ a successful online authentication can enable
+ enable offline authentication again.
+ </para>
+ <para>
+ Default: 5
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+ </refsect1>
+
+ <refsect1 id='domain-sections'>
+ <title>DOMAIN SECTIONS</title>
+ <para>
+ These configuration options can be present in a domain
+ configuration section, that is, in a section called
+ <quote>[domain/<replaceable>NAME</replaceable>]</quote>
+ <variablelist>
+ <varlistentry>
+ <term>min_id,max_id (integer)</term>
+ <listitem>
+ <para>
+ UID limits for the domain. If a domain contains
+ entry that is outside these limits, it is ignored
+ </para>
+ <para>
+ Default: 1000 for min_id, 0 (no limit) for max_id
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>timeout (integer)</term>
+ <listitem>
+ <para>
+ Timeout in seconds between heartbeats for this domain.
+ This is used to ensure that the backend process is
+ alive and capable of answering requests.
+ </para>
+ <para>
+ Default: 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>enumerate (bool)</term>
+ <listitem>
+ <para>
+ Determines if a domain can be enumerated. This
+ parameter can have one of the following values:
+ </para>
+ <para>
+ TRUE = Users and groups are enumerated
+ </para>
+ <para>
+ FALSE = No enumerations for this domain
+ </para>
+ <para>
+ Default: TRUE
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>entry_cache_timeout (integer)</term>
+ <listitem>
+ <para>
+ How many seconds should nss_sss consider
+ entries valid before asking the backend again
+ </para>
+ <para>
+ Default: 600
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>cache_credentials (bool)</term>
+ <listitem>
+ <para>
+ Determines if user credentials are also cached
+ in the local LDB cache
+ </para>
+ <para>
+ Default: FALSE
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>id_provider (string)</term>
+ <listitem>
+ <para>
+ The Data Provider identity backend to use for this
+ domain.
+ </para>
+ <para>
+ Supported backends:
+ </para>
+ <para>
+ proxy: Support a legacy NSS provider
+ </para>
+ <para>
+ local: SSSD internal local provider
+ </para>
+ <para>
+ ldap: LDAP provider
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>use_fully_qualified_names (bool)</term>
+ <listitem>
+ <para>
+ If set to TRUE, all requests to this domain
+ must use fully qualified names. For example,
+ if used in LOCAL domain that contains a "test"
+ user, <command>getent passwd test</command>
+ wouldn't find the user while <command>getent
+ passwd test@LOCAL</command> would.
+ </para>
+ <para>
+ Default: FALSE
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>auth_provider (string)</term>
+ <listitem>
+ <para>
+ The authentication provider used for the domain.
+ Supported auth providers are:
+ </para>
+ <para>
+ <quote>ldap</quote> for native LDAP authentication. See
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on configuring LDAP.
+ </para>
+ <para>
+ <quote>krb5</quote> for Kerberos authentication. See
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on configuring Kerberos.
+ </para>
+ <para>
+ <quote>proxy</quote> for relaying authentication to some other PAM target.
+ </para>
+ <para>
+ <quote>none</quote> disables authentication explicitly.
+ </para>
+ <para>
+ Default: <quote>id_provider</quote> is used if it
+ is set and can handle authentication requests.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>access_provider (string)</term>
+ <listitem>
+ <para>
+ The access control provider used for the domain.
+ There are two built-in access providers (in
+ addition to any included in installed backends)
+ Internal special providers are:
+ </para>
+ <para>
+ <quote>permit</quote> always allow access.
+ </para>
+ <para>
+ <quote>deny</quote> always deny access.
+ </para>
+ <para>
+ Default: <quote>permit</quote>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>chpass_provider (string)</term>
+ <listitem>
+ <para>
+ The provider which should handle change password
+ operations for the domain.
+ Supported change password providers are:
+ </para>
+ <para>
+ <quote>ldap</quote> to change a password stored
+ in a LDAP server. See
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on configuring LDAP.
+ </para>
+ <para>
+ <quote>krb5</quote> to change the Kerberos
+ password. See
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on configuring Kerberos.
+ </para>
+ <para>
+ <quote>proxy</quote> for relaying password changes
+ to some other PAM target.
+ </para>
+ <para>
+ <quote>none</quote> disallows password changes explicitly.
+ </para>
+ <para>
+ Default: <quote>auth_provider</quote> is used if it
+ is set and can handle change password requests.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ Options valid for proxy domains.
+
+ <variablelist>
+ <varlistentry>
+ <term>proxy_pam_target (string)</term>
+ <listitem>
+ <para>
+ The proxy target PAM proxies to.
+ </para>
+ <para>
+ Default: not set by default, you have to take an
+ existing pam configuration or create a new one and
+ add the service name here.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>proxy_lib_name (string)</term>
+ <listitem>
+ <para>
+ The name of the NSS library to use in proxy
+ domains. The NSS functions searched for in the
+ library are in the form of
+ _nss_$(libName)_$(function), for example
+ _nss_files_getpwent.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <refsect2 id='local_domain'>
+ <title>The local domain section</title>
+ <para>
+ This section contains settings for domain that stores users and
+ groups in SSSD native database, that is, a domain that uses
+ <replaceable>id_provider=local</replaceable>.
+ </para>
+ <variablelist>
+ <title>Section parameters</title>
+ <varlistentry>
+ <term>default_shell (string)</term>
+ <listitem>
+ <para>
+ The default shell for users created
+ with SSSD userspace tools.
+ </para>
+ <para>
+ Default: <filename>/bin/bash</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>base_directory (string)</term>
+ <listitem>
+ <para>
+ The tools append the login name to
+ <replaceable>base_directory</replaceable> and
+ use that as the home directory.
+ </para>
+ <para>
+ Default: <filename>/home</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>create_homedir (bool)</term>
+ <listitem>
+ <para>
+ Indicate if a home directory should be created by default for new users.
+ Can be overriden on command line.
+ </para>
+ <para>
+ Default: TRUE
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>remove_homedir (bool)</term>
+ <listitem>
+ <para>
+ Indicate if a home directory should be removed by default for deleted users.
+ Can be overriden on command line.
+ </para>
+ <para>
+ Default: TRUE
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>homedir_umask (integer)</term>
+ <listitem>
+ <para>
+ Used by
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry> to specify the default permissions on a newly created
+ home directory.
+ </para>
+ <para>
+ Default: 077
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>skel_dir (string)</term>
+ <listitem>
+ <para>
+ The skeleton directory, which contains files
+ and directories to be copied in the user's
+ home directory, when the home directory is
+ created by
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ <para>
+ Default: <filename>/etc/skel</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>mail_dir (string)</term>
+ <listitem>
+ <para>
+ The mail spool directory. This is needed to
+ manipulate the mailbox when its corresponding
+ user account is modified or deleted.
+ If not specified, a default
+ value is used.
+ </para>
+ <para>
+ Default: <filename>/var/mail</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ </refsect1>
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ The following example shows a typical SSSD config. It does
+ not describe configuration of the domains themselves - refer to
+ documentation on configuring domains for more details.
+<programlisting>
+[sssd]
+domains = LDAP
+services = nss, pam
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://ldap.example.com
+ldap_search_base = dc=example,dc=com
+
+auth_provider = krb5
+krb5_kdcip = kerberos.example.com
+krb5_realm = EXAMPLE.COM
+cache_credentials = true
+
+min_id = 10000
+max_id = 20000
+enumerate = true
+</programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/man/sssd_krb5_locator_plugin.8.xml b/src/man/sssd_krb5_locator_plugin.8.xml
new file mode 100644
index 00000000..6c60431f
--- /dev/null
+++ b/src/man/sssd_krb5_locator_plugin.8.xml
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd_krb5_locator_plugin</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ The Kerberos locator plugin
+ <command>sssd_krb5_locator_plugin</command> is used by the Kerberos
+ provider of
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ to tell the Kerberos libraries what Realm and which KDC to use.
+ Typically this is done in
+ <citerefentry>
+ <refentrytitle>krb5.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ which is always read by the Kerberos libraries. To simplyfy the
+ configuration the Realm and the KDC can be defined in
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ as described in
+ <citerefentry>
+ <refentrytitle>sssd-krb5.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ </para>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ puts the Realm and the name or IP address of the KDC into the
+ enviroment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively.
+ When <command>sssd_krb5_locator_plugin</command> is called by the
+ kerberos libraries it reads and evaluates these variable and returns
+ them to the libraries.
+ </para>
+ </refsect1>
+
+ <refsect1 id='notes'>
+ <title>NOTES</title>
+ <para>
+ Not all Kerberos implementations support the use of plugins. If
+ <command>sssd_krb5_locator_plugin</command> is not available on
+ your system you have to edit /etc/krb5.conf to reflect your
+ Kerberos setup.
+ </para>
+ <para>
+ If the enviroment variable SSSD_KRB5_LOCATOR_DEBUG is set to any
+ value debug messages will be sent to stderr.
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
+</reference>