diff options
Diffstat (limited to 'server/man/sssd.conf.5.xml')
| -rw-r--r-- | server/man/sssd.conf.5.xml | 325 |
1 files changed, 144 insertions, 181 deletions
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index 83129eeb..62d0c2b4 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -53,16 +53,18 @@ <title>SPECIAL SECTIONS</title> <refsect2 id='services'> - <title>The [services] section</title> + <title>The [sssd] section</title> <para> Individual pieces of SSSD functionality are provided by special SSSD services that are started and stopped together with SSSD. - The services are managed by a special service called - <quote>monitor</quote>. + The services are managed by a special service frequently called + <quote>monitor</quote>. The <quote>[sssd]</quote> section is used + to configure the monitor as well as some other important options + like the identity domains. <variablelist> <title>Section parameters</title> <varlistentry> - <term>activeServices</term> + <term>services</term> <listitem> <para> Comma separated list of services that are @@ -91,121 +93,65 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>domains</term> + <listitem> + <para> + A domain is a database containing user + information. SSSD can use more domains + at the same time, but at least one + must be configured or SSSD won't start. + This parameter described the list of domains + in the order you want them to be queried. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>re_expression (string)</term> + <listitem> + <para> + Regular expression that describes how to parse the string + containing user name and domain into these components. + </para> + <para> + Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> + which translates to "the name is everything up to the + <quote>@</quote> sign, the domain everything after that" + </para> + <para> + PLEASE NOTE: the support for non-unique named + subpatterns is not available on all plattforms + (e.g. RHEL5 and SLES10). Only plattforms with + libpcre version 7 or higher can support non-unique + named subpatterns. + </para> + <para> + PLEASE NOTE ALSO: older version of libpcre only + support the Python syntax (?P<name>) to label + subpatterns. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>full_name_format (string)</term> + <listitem> + <para> + A <citerefentry> + <refentrytitle>printf</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry>-compatible format that describes how to + translate a (name, domain) tuple into a fully qualified + name. + </para> + <para> + Default: <quote>%1$s@%2$s</quote>. + </para> + </listitem> + </varlistentry> </variablelist> </para> </refsect2> - <refsect2 id='domains'> - <title>The [domains] section</title> - <para> - A domain is a database containing user information. SSSD can - use more domains at the same time, but at least one must - be configured or SSSD won't start. - </para> - <variablelist> - <title>Section parameters</title> - <varlistentry> - <term>domains</term> - <listitem> - <para> - The list of domains in the order you want them - to be queried - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect2> - - <refsect2 id='names'> - <title>The [names] section</title> - <para> - This section allows to configure how a name, or a fully qualified - name looks like. These settings are used by both the PAM and NSS - responders. - </para> - <variablelist> - <title>Section parameters</title> - <varlistentry> - <term>re-expression (string)</term> - <listitem> - <para> - Regular expression that describes how to parse the string - containing user name and domain into these components. - </para> - <para> - Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> - which translates to "the name is everything up to the - <quote>@</quote> sign, the domain everything after that" - </para> - <para> - PLEASE NOTE: the support for non-unique named - subpatterns is not available on all plattforms - (e.g. RHEL5 and SLES10). Only plattforms with - libpcre version 7 or higher can support non-unique - named subpatterns. - </para> - <para> - PLEASE NOTE ALSO: older version of libpcre only - support the Python syntax (?P<name>) to label - subpatterns. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>full-name-format (string)</term> - <listitem> - <para> - A <citerefentry> - <refentrytitle>printf</refentrytitle> - <manvolnum>3</manvolnum> - </citerefentry>-compatible format that describes how to - translate a (name, domain) tuple into a fully qualified - name. - </para> - <para> - Default: <quote>%1$s@%2$s</quote>. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect2> - - <refsect2 id='user_defaults'> - <title>The [user_defaults] section</title> - <para> - This section contains settings that alter default values used - when adding a user with SSSD userspace tools (sss_useradd). - </para> - <variablelist> - <title>Section parameters</title> - <varlistentry> - <term>defaultShell (string)</term> - <listitem> - <para> - The default shell for users created - with SSSD userspace tools. - </para> - <para> - Default: <filename>/bin/bash</filename> - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>baseDirectory (string)</term> - <listitem> - <para> - The tools append the login name to - <replaceable>baseDirectory</replaceable> and - use that as the home directory. - </para> - <para> - Default: <filename>/home</filename> - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect2> - </refsect1> <refsect1 id='services-sections'> @@ -213,8 +159,8 @@ <para> Settings that can be used to configure different services are described in this section. They should reside in the - [services/<replaceable>NAME</replaceable>] section, for example, - for NSS service, the section would be <quote>[services/nss]</quote> + [<replaceable>$NAME</replaceable>] section, for example, + for NSS service, the section would be <quote>[nss]</quote> </para> <refsect2 id='general'> @@ -224,7 +170,7 @@ </para> <variablelist> <varlistentry> - <term>debug-level (integer)</term> + <term>debug_level (integer)</term> <listitem> <para> Sets the debug level for the service. The @@ -277,19 +223,7 @@ </para> <variablelist> <varlistentry> - <term>sbusAddress (string)</term> - <listitem> - <para> - The services in sssd communicate over an internal - wrapper on top of D-Bus called S-Bus. This - directive can be used to specify the address - to connect to. The vast majority of configurations - will not need to change this setting. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>sbusTimeout (string)</term> + <term>sbus_timeout (string)</term> <listitem> <para> Specifies the timeout for messages sent over the SBUS. @@ -311,7 +245,7 @@ </para> <variablelist> <varlistentry> - <term>EnumCacheTimeout (integer)</term> + <term>enum_cache_timeout (integer)</term> <listitem> <para> How long should nss_sss cache enumerations @@ -323,7 +257,7 @@ </listitem> </varlistentry> <varlistentry> - <term>EntryCacheTimeout (integer)</term> + <term>entry_cache_timeout (integer)</term> <listitem> <para> How long should nss_sss cache positive cache hits @@ -336,7 +270,7 @@ </listitem> </varlistentry> <varlistentry> - <term>EntryCacheNoWaitRefreshTimeout (integer)</term> + <term>entry_cache_nowait_timeout (integer)</term> <listitem> <para> How long should nss_sss return cached entries before @@ -349,7 +283,7 @@ </listitem> </varlistentry> <varlistentry> - <term>EntryNegativeTimeout (integer)</term> + <term>entry_negative_timeout (integer)</term> <listitem> <para> How long should nss_sss cache negative cache hits @@ -362,17 +296,20 @@ </listitem> </varlistentry> <varlistentry> - <term>filterUsers, filterGroups (string)</term> + <term>filter_users, filter_groups (string)</term> <listitem> <para> Exclude certain users from being fetched from the sss NSS database. This is particulary useful for system - accounts like root. + accounts. + </para> + <para> + Default: root </para> </listitem> </varlistentry> <varlistentry> - <term>filterUsersInGroups (bool)</term> + <term>filter_users_in_groups (bool)</term> <listitem> <para> If you want filtered user still be group members @@ -392,17 +329,17 @@ <para> These configuration options can be present in a domain configuration section, that is, in a section called - <quote>[domains/<replaceable>NAME</replaceable>]</quote> + <quote>[domain/<replaceable>NAME</replaceable>]</quote> <variablelist> <varlistentry> - <term>minId,maxId (integer)</term> + <term>min_id,max_id (integer)</term> <listitem> <para> UID limits for the domain. If a domain contains entry that is outside these limits, it is ignored </para> <para> - Default: 0 (no limit) + Default: 1000 for min_id, 0 (no limit) for max_id </para> </listitem> </varlistentry> @@ -422,7 +359,7 @@ </varlistentry> <varlistentry> - <term>magicPrivateGroups (bool)</term> + <term>magic_private_groups (bool)</term> <listitem> <para> By using the Magic Private Groups option, you @@ -482,7 +419,7 @@ </varlistentry> <varlistentry> - <term>cache-credentials (bool)</term> + <term>cache_credentials (bool)</term> <listitem> <para> Determines if user credentials are also cached @@ -495,7 +432,7 @@ </varlistentry> <varlistentry> - <term>store-legacy-passwords (bool)</term> + <term>store_legacy_passwords (bool)</term> <listitem> <para> Whether to also store passwords in a legacy domain @@ -507,10 +444,11 @@ </varlistentry> <varlistentry> - <term>provider (string)</term> + <term>id_provider (string)</term> <listitem> <para> - The Data Provider backend to use for this domain. + The Data Provider identity backend to use for this + domain. </para> <para> Supported backends: @@ -528,7 +466,7 @@ </varlistentry> <varlistentry> - <term>useFullyQualifiedNames (bool)</term> + <term>use_fully_qualified_names (bool)</term> <listitem> <para> If set to TRUE, all requests to this domain @@ -544,11 +482,11 @@ </listitem> </varlistentry> <varlistentry> - <term>auth-module (string)</term> + <term>auth_provider (string)</term> <listitem> <para> - The authentication module used for the domain. - Supported auth modules are: + The authentication provider used for the domain. + Supported auth providers are: </para> <para> <quote>ldap</quote> for native LDAP authentication. See @@ -577,7 +515,7 @@ <variablelist> <varlistentry> - <term>pam-target (string)</term> + <term>proxy_pam_target (string)</term> <listitem> <para> The proxy target PAM proxies to. @@ -589,7 +527,7 @@ </varlistentry> <varlistentry> - <term>libName (string)</term> + <term>proxy_lib_name (string)</term> <listitem> <para> The name of the NSS library to use in proxy @@ -602,6 +540,44 @@ </varlistentry> </variablelist> </para> + + <refsect2 id='local_domain'> + <title>The local domain section</title> + <para> + This section contains settings for domain that stores users and + groups in SSSD native database, that is, a domain that uses + <replaceable>id_provider=local</replaceable>. + </para> + <variablelist> + <title>Section parameters</title> + <varlistentry> + <term>default_shell (string)</term> + <listitem> + <para> + The default shell for users created + with SSSD userspace tools. + </para> + <para> + Default: <filename>/bin/bash</filename> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>base_directory (string)</term> + <listitem> + <para> + The tools append the login name to + <replaceable>base_directory</replaceable> and + use that as the home directory. + </para> + <para> + Default: <filename>/home</filename> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> + </refsect1> <refsect1 id='example'> @@ -611,39 +587,26 @@ not describe configuration of the domains themselves - refer to documentation on configuring domains for more details. <programlisting> -[services] -description = Local Service Configuration -activeServices = nss, pam -reconnection_retries = 3 - -[services/nss] -description = NSS Responder Configuration -filterGroups = root -filterUsers = root -debug-level = 4 - -[services/dp] -description = Data Provider Configuration -debug-level = 4 +[sssd] +domains = LOCAL +services = nss, dp, pam +config_file_version = 2 +sbus_timeout = 30 -[services/pam] -description = PAM Responder Configuration +[nss] +filter_groups = root +filter_users = root -[services/monitor] -description = Service Monitor Configuration +[pam] -[domains] -description = Domains served by SSSD -domains = LOCAL +[dp] -[domains/LOCAL] -description = LOCAL Users domain -enumerate = TRUE -minId = 5000 -maxId = 30000 -legacy = FALSE -magicPrivateGroups = TRUE -provider = local +[domain/LOCAL] +id_provider = local +min_id = 1000 +max_id = 5000 +default_shell = /bin/ksh +enumerate = true </programlisting> </para> </refsect1> |