summaryrefslogtreecommitdiff
path: root/server/man/sssd-krb5.5.xml
diff options
context:
space:
mode:
Diffstat (limited to 'server/man/sssd-krb5.5.xml')
-rw-r--r--server/man/sssd-krb5.5.xml250
1 files changed, 0 insertions, 250 deletions
diff --git a/server/man/sssd-krb5.5.xml b/server/man/sssd-krb5.5.xml
deleted file mode 100644
index 32b6c293..00000000
--- a/server/man/sssd-krb5.5.xml
+++ /dev/null
@@ -1,250 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<reference>
-<title>SSSD Manual pages</title>
-<refentry>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
-
- <refmeta>
- <refentrytitle>sssd-krb5</refentrytitle>
- <manvolnum>5</manvolnum>
- <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
- </refmeta>
-
- <refnamediv id='name'>
- <refname>sssd-krb5</refname>
- <refpurpose>the configuration file for SSSD</refpurpose>
- </refnamediv>
-
- <refsect1 id='description'>
- <title>DESCRIPTION</title>
- <para>
- This manual page describes the configuration of the Kerberos
- 5 authentication backend for
- <citerefentry>
- <refentrytitle>sssd</refentrytitle>
- <manvolnum>8</manvolnum>
- </citerefentry>.
- For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
- <citerefentry>
- <refentrytitle>sssd.conf</refentrytitle>
- <manvolnum>5</manvolnum>
- </citerefentry> manual page
- </para>
- <para>
- The Kerberos 5 authentication backend does not contain an identity
- provider and must be paired with one in order to function properly (for
- example, id_provider = ldap). Some information required by the Kerberos
- 5 authentication backend must be provided by the identity provider, such
- as the user's Kerberos Principal Name (UPN). The configuration of the
- identity provider should have an entry to specify the UPN. Please refer
- to the man page for the applicable identity provider for details on how
- to configure this.
- </para>
- <para>
- In the case where the UPN is not available in the identity backend
- <command>sssd</command> will construct a UPN using the format
- <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>.
- </para>
-
- </refsect1>
-
- <refsect1 id='file-format'>
- <title>CONFIGURATION OPTIONS</title>
- <para>
- If the auth-module krb5 is used in a SSSD domain, the following
- options must be used. See the
- <citerefentry>
- <refentrytitle>sssd.conf</refentrytitle>
- <manvolnum>5</manvolnum>
- </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>
- for details on the configuration of a SSSD domain.
- <variablelist>
- <varlistentry>
- <term>krb5_kdcip (string)</term>
- <listitem>
- <para>
- Specifies the list of IP addresses or hostnames
- of the Kerberos servers to which SSSD should
- connect in the order of preference. For more
- information on failover and server redundancy,
- see the <quote>FAILOVER</quote> section.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>krb5_realm (string)</term>
- <listitem>
- <para>
- The name of the Kerberos realm.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>krb5_changepw_principal (string)</term>
- <listitem>
- <para>
- The priciple of the change password service.
- If only the 'identifier/instance' part of the
- principal are given the realm part is added
- automatically.
- </para>
- <para>
- Default: kadmin/changepw
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>krb5_ccachedir (string)</term>
- <listitem>
- <para>
- Directory to store credential caches.
- </para>
- <para>
- Default: /tmp
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>krb5_ccname_template (string)</term>
- <listitem>
- <para>
- Location of the user's credential cache. Currently
- only file based credential caches are supported. In
- the template the following sequences are
- substituted:
- <variablelist>
- <varlistentry>
- <term>%u</term>
- <listitem><para>login name</para></listitem>
- </varlistentry>
- <varlistentry>
- <term>%U</term>
- <listitem><para>login UID</para></listitem>
- </varlistentry>
- <varlistentry>
- <term>%p</term>
- <listitem><para>principal name</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>%r</term>
- <listitem><para>realm name</para></listitem>
- </varlistentry>
- <varlistentry>
- <term>%h</term>
- <listitem><para>home directory</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>%d</term>
- <listitem><para>value of krb5ccache_dir
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>%P</term>
- <listitem><para>the process ID of the sssd
- client</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>%%</term>
- <listitem><para>a literal '%'</para>
- </listitem>
- </varlistentry>
- </variablelist>
- If the template ends with 'XXXXXX' mkstemp(3) is
- used to create a unique filename in a safe way.
- </para>
- <para>
- Default: FILE:%d/krb5cc_%U_XXXXXX
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>krb5_auth_timeout (integer)</term>
- <listitem>
- <para>
- Timeout in seconds after an online authentication or
- change password request is aborted. If possible the
- authentication request is continued offline.
- </para>
- <para>
- Default: 15
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>krb5_validate (boolean)</term>
- <listitem>
- <para>
- Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
- </para>
- <para>
- Default: false
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>krb5_keytab (string)</term>
- <listitem>
- <para>
- The location of the keytab to use when validating
- credentials obtained from KDCs.
- </para>
- <para>
- Default: /etc/krb5.keytab
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
-
- <refsect1 id='example'>
- <title>EXAMPLE</title>
- <para>
- The following example assumes that SSSD is correctly
- configured and FOO is one of the domains in the
- <replaceable>[sssd]</replaceable> section. This example shows
- only configuration of Kerberos authentication, it does not include
- any identity provider.
- </para>
- <para>
-<programlisting>
- [domain/FOO]
- auth_provider = krb5
- krb5_kdcip = 192.168.1.1
- krb5_realm = EXAMPLE.COM
-</programlisting>
- </para>
- </refsect1>
-
- <refsect1 id='see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-</refentry>
-</reference>
generated by cgit (git 2.34.1) at 2025-01-06 14:21:08 +0000