diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/man/sssd-krb5.5.xml | 26 | ||||
-rw-r--r-- | server/man/sssd-ldap.5.xml | 66 | ||||
-rw-r--r-- | server/man/sssd.conf.5.xml | 325 |
3 files changed, 193 insertions, 224 deletions
diff --git a/server/man/sssd-krb5.5.xml b/server/man/sssd-krb5.5.xml index 234b194a..4de89919 100644 --- a/server/man/sssd-krb5.5.xml +++ b/server/man/sssd-krb5.5.xml @@ -46,7 +46,7 @@ for details on the configuration of a SSSD domain. <variablelist> <varlistentry> - <term>krb5KDCIP (string)</term> + <term>krb5_kdcip (string)</term> <listitem> <para> Specifies the IP address of the Kerberos server. @@ -55,7 +55,7 @@ </varlistentry> <varlistentry> - <term>krb5REALM (string)</term> + <term>krb5_realm (string)</term> <listitem> <para> The name of the Kerberos realm. @@ -64,7 +64,7 @@ </varlistentry> <varlistentry> - <term>krb5try_simple_upn (boolean)</term> + <term>krb5_try_simple_upn (boolean)</term> <listitem> <para> Set this option to 'true' @@ -78,7 +78,7 @@ </varlistentry> <varlistentry> - <term>krb5changepw_principle (string)</term> + <term>krb5_changepw_principle (string)</term> <listitem> <para> The priciple of the change password service. @@ -93,7 +93,7 @@ </varlistentry> <varlistentry> - <term>krb5ccache_dir (string)</term> + <term>krb5_ccachedir (string)</term> <listitem> <para> Directory to store credential caches. @@ -105,7 +105,7 @@ </varlistentry> <varlistentry> - <term>krb5ccname_template (string)</term> + <term>krb5_ccname_template (string)</term> <listitem> <para> Location of the user's credential cache. Currently @@ -163,7 +163,7 @@ </varlistentry> <varlistentry> - <term>krb5auth_timeout (integer)</term> + <term>krb5_auth_timeout (integer)</term> <listitem> <para> Timeout in seconds after an online authentication or @@ -185,14 +185,16 @@ <para> The following example assumes that SSSD is correctly configured and FOO is one of the domains in the - <replaceable>[domains]</replaceable> section. + <replaceable>[sssd]</replaceable> section. This example shows + only configuration of Kerberos authentication, it does not include + any identity provider. </para> <para> <programlisting> - [domains/FOO] - auth-module = krb5 - krb5KDCIP = 192.168.1.1 - krb5REALM = EXAMPLE.COM + [domain/FOO] + auth_provider = krb5 + krb5_kdcip = 192.168.1.1 + krb5_realm = EXAMPLE.COM </programlisting> </para> </refsect1> diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml index 176849a7..4c7e07b6 100644 --- a/server/man/sssd-ldap.5.xml +++ b/server/man/sssd-ldap.5.xml @@ -49,7 +49,7 @@ <variablelist> <varlistentry> - <term>ldapUri (string)</term> + <term>ldap_uri (string)</term> <listitem> <para> Specifies the URI of the LDAP server to which @@ -62,7 +62,7 @@ </varlistentry> <varlistentry> - <term>ldapSchema (string)</term> + <term>ldap_schema (string)</term> <listitem> <para> Specifies the Schema Type in use on the target LDAP @@ -91,7 +91,7 @@ </varlistentry> <varlistentry> - <term>defaultBindDn (string)</term> + <term>ldap_default_bind_dn (string)</term> <listitem> <para> The default bind DN to use for @@ -101,7 +101,7 @@ </varlistentry> <varlistentry> - <term>defaultAuthtokType (string)</term> + <term>ldap_default_authtok_type (string)</term> <listitem> <para> The type of the authentication token of the @@ -112,7 +112,7 @@ </varlistentry> <varlistentry> - <term>defaultAuthtok (string)</term> + <term>ldap_default_authtok (string)</term> <listitem> <para> The authentication token of the default bind DN. @@ -122,7 +122,7 @@ </varlistentry> <varlistentry> - <term>userSearchBase (string)</term> + <term>ldap_user_search_base (string)</term> <listitem> <para> The default base DN to use for @@ -132,7 +132,7 @@ </varlistentry> <varlistentry> - <term>userObjectClass (string)</term> + <term>ldap_user_object_class (string)</term> <listitem> <para> The object class of a user entry in LDAP. @@ -144,7 +144,7 @@ </varlistentry> <varlistentry> - <term>userName (string)</term> + <term>ldap_user_name (string)</term> <listitem> <para> The LDAP attribute that corresponds to @@ -157,7 +157,7 @@ </varlistentry> <varlistentry> - <term>userUidNumber (string)</term> + <term>ldap_user_uid_number (string)</term> <listitem> <para> The LDAP attribute that corresponds to @@ -170,7 +170,7 @@ </varlistentry> <varlistentry> - <term>userGidNumber (string)</term> + <term>ldap_user_gid_number (string)</term> <listitem> <para> The LDAP attribute that corresponds to @@ -183,7 +183,7 @@ </varlistentry> <varlistentry> - <term>userGecos (string)</term> + <term>ldap_user_gecos (string)</term> <listitem> <para> The LDAP attribute that corresponds to @@ -196,7 +196,7 @@ </varlistentry> <varlistentry> - <term>userHomeDirectory (string)</term> + <term>ldap_user_home_directory (string)</term> <listitem> <para> The LDAP attribute that contains the name of the @@ -209,7 +209,7 @@ </varlistentry> <varlistentry> - <term>userShell (string)</term> + <term>ldap_user_shell (string)</term> <listitem> <para> The LDAP attribute that contains the path of the @@ -222,7 +222,7 @@ </varlistentry> <varlistentry> - <term>userUUID (string)</term> + <term>ldap_user_uuid (string)</term> <listitem> <para> The LDAP attribute that contains the UUID/GUID of @@ -235,7 +235,7 @@ </varlistentry> <varlistentry> - <term>userPrincipal (string)</term> + <term>ldap_user_principal (string)</term> <listitem> <para> The LDAP attribute that contains the Kerberos @@ -248,7 +248,7 @@ </varlistentry> <varlistentry> - <term>force_upper_case_realm (boolean)</term> + <term>ldap_force_upper_case_realm (boolean)</term> <listitem> <para> Some directory servers, for example Active Directory, @@ -264,7 +264,7 @@ </varlistentry> <varlistentry> - <term>userFullname (string)</term> + <term>ldap_user_fullname (string)</term> <listitem> <para> The LDAP attribute that corresponds to @@ -277,7 +277,7 @@ </varlistentry> <varlistentry> - <term>userMemberOf (string)</term> + <term>ldap_user_member_of (string)</term> <listitem> <para> The LDAP attribute that list the user's @@ -290,7 +290,7 @@ </varlistentry> <varlistentry> - <term>groupSearchBase (string)</term> + <term>ldap_group_search_base (string)</term> <listitem> <para> The default base DN to use for @@ -300,7 +300,7 @@ </varlistentry> <varlistentry> - <term>groupObjectClass (string)</term> + <term>ldap_group_object_class (string)</term> <listitem> <para> The object class of a group entry in LDAP. @@ -312,7 +312,7 @@ </varlistentry> <varlistentry> - <term>groupName (string)</term> + <term>ldap_group_name (string)</term> <listitem> <para> The LDAP attribute that corresponds to @@ -325,7 +325,7 @@ </varlistentry> <varlistentry> - <term>groupGidNumber (string)</term> + <term>ldap_group_gid_number (string)</term> <listitem> <para> The LDAP attribute that corresponds to @@ -338,7 +338,7 @@ </varlistentry> <varlistentry> - <term>groupMember (string)</term> + <term>ldap_group_member (string)</term> <listitem> <para> The LDAP attribute that contains the names of @@ -351,7 +351,7 @@ </varlistentry> <varlistentry> - <term>groupUUID (string)</term> + <term>ldap_group_uuid (string)</term> <listitem> <para> The LDAP attribute that contains the UUID/GUID of @@ -364,7 +364,7 @@ </varlistentry> <varlistentry> - <term>network_timeout (integer)</term> + <term>ldap_network_timeout (integer)</term> <listitem> <para> Specifies the timeout (in seconds) after which @@ -390,7 +390,7 @@ </varlistentry> <varlistentry> - <term>opt_timeout (integer)</term> + <term>ldap_opt_timeout (integer)</term> <listitem> <para> Specifies a timeout (in seconds) after which @@ -404,7 +404,7 @@ </varlistentry> <varlistentry> - <term>tls_reqcert (string)</term> + <term>ldap_tls_reqcert (string)</term> <listitem> <para> Specifies what checks to perform on server @@ -455,10 +455,14 @@ </para> <para> <programlisting> - [domains/LDAP] - auth-module = ldap - ldapUri = ldap://ldap.mydomain.org - userSearchBase = dc=mydomain,dc=org + [domain/LDAP] + id_provider = ldap + auth_provider = ldap + ldap_uri = ldap://ldap.mydomain.org + ldap_user_search_base = dc=mydomain,dc=org + ldap_tls_reqcert = demand + cache_credentials = true + enumerate = true </programlisting> </para> </refsect1> diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index 83129eeb..62d0c2b4 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -53,16 +53,18 @@ <title>SPECIAL SECTIONS</title> <refsect2 id='services'> - <title>The [services] section</title> + <title>The [sssd] section</title> <para> Individual pieces of SSSD functionality are provided by special SSSD services that are started and stopped together with SSSD. - The services are managed by a special service called - <quote>monitor</quote>. + The services are managed by a special service frequently called + <quote>monitor</quote>. The <quote>[sssd]</quote> section is used + to configure the monitor as well as some other important options + like the identity domains. <variablelist> <title>Section parameters</title> <varlistentry> - <term>activeServices</term> + <term>services</term> <listitem> <para> Comma separated list of services that are @@ -91,121 +93,65 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>domains</term> + <listitem> + <para> + A domain is a database containing user + information. SSSD can use more domains + at the same time, but at least one + must be configured or SSSD won't start. + This parameter described the list of domains + in the order you want them to be queried. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>re_expression (string)</term> + <listitem> + <para> + Regular expression that describes how to parse the string + containing user name and domain into these components. + </para> + <para> + Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> + which translates to "the name is everything up to the + <quote>@</quote> sign, the domain everything after that" + </para> + <para> + PLEASE NOTE: the support for non-unique named + subpatterns is not available on all plattforms + (e.g. RHEL5 and SLES10). Only plattforms with + libpcre version 7 or higher can support non-unique + named subpatterns. + </para> + <para> + PLEASE NOTE ALSO: older version of libpcre only + support the Python syntax (?P<name>) to label + subpatterns. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>full_name_format (string)</term> + <listitem> + <para> + A <citerefentry> + <refentrytitle>printf</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry>-compatible format that describes how to + translate a (name, domain) tuple into a fully qualified + name. + </para> + <para> + Default: <quote>%1$s@%2$s</quote>. + </para> + </listitem> + </varlistentry> </variablelist> </para> </refsect2> - <refsect2 id='domains'> - <title>The [domains] section</title> - <para> - A domain is a database containing user information. SSSD can - use more domains at the same time, but at least one must - be configured or SSSD won't start. - </para> - <variablelist> - <title>Section parameters</title> - <varlistentry> - <term>domains</term> - <listitem> - <para> - The list of domains in the order you want them - to be queried - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect2> - - <refsect2 id='names'> - <title>The [names] section</title> - <para> - This section allows to configure how a name, or a fully qualified - name looks like. These settings are used by both the PAM and NSS - responders. - </para> - <variablelist> - <title>Section parameters</title> - <varlistentry> - <term>re-expression (string)</term> - <listitem> - <para> - Regular expression that describes how to parse the string - containing user name and domain into these components. - </para> - <para> - Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> - which translates to "the name is everything up to the - <quote>@</quote> sign, the domain everything after that" - </para> - <para> - PLEASE NOTE: the support for non-unique named - subpatterns is not available on all plattforms - (e.g. RHEL5 and SLES10). Only plattforms with - libpcre version 7 or higher can support non-unique - named subpatterns. - </para> - <para> - PLEASE NOTE ALSO: older version of libpcre only - support the Python syntax (?P<name>) to label - subpatterns. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>full-name-format (string)</term> - <listitem> - <para> - A <citerefentry> - <refentrytitle>printf</refentrytitle> - <manvolnum>3</manvolnum> - </citerefentry>-compatible format that describes how to - translate a (name, domain) tuple into a fully qualified - name. - </para> - <para> - Default: <quote>%1$s@%2$s</quote>. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect2> - - <refsect2 id='user_defaults'> - <title>The [user_defaults] section</title> - <para> - This section contains settings that alter default values used - when adding a user with SSSD userspace tools (sss_useradd). - </para> - <variablelist> - <title>Section parameters</title> - <varlistentry> - <term>defaultShell (string)</term> - <listitem> - <para> - The default shell for users created - with SSSD userspace tools. - </para> - <para> - Default: <filename>/bin/bash</filename> - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>baseDirectory (string)</term> - <listitem> - <para> - The tools append the login name to - <replaceable>baseDirectory</replaceable> and - use that as the home directory. - </para> - <para> - Default: <filename>/home</filename> - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect2> - </refsect1> <refsect1 id='services-sections'> @@ -213,8 +159,8 @@ <para> Settings that can be used to configure different services are described in this section. They should reside in the - [services/<replaceable>NAME</replaceable>] section, for example, - for NSS service, the section would be <quote>[services/nss]</quote> + [<replaceable>$NAME</replaceable>] section, for example, + for NSS service, the section would be <quote>[nss]</quote> </para> <refsect2 id='general'> @@ -224,7 +170,7 @@ </para> <variablelist> <varlistentry> - <term>debug-level (integer)</term> + <term>debug_level (integer)</term> <listitem> <para> Sets the debug level for the service. The @@ -277,19 +223,7 @@ </para> <variablelist> <varlistentry> - <term>sbusAddress (string)</term> - <listitem> - <para> - The services in sssd communicate over an internal - wrapper on top of D-Bus called S-Bus. This - directive can be used to specify the address - to connect to. The vast majority of configurations - will not need to change this setting. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>sbusTimeout (string)</term> + <term>sbus_timeout (string)</term> <listitem> <para> Specifies the timeout for messages sent over the SBUS. @@ -311,7 +245,7 @@ </para> <variablelist> <varlistentry> - <term>EnumCacheTimeout (integer)</term> + <term>enum_cache_timeout (integer)</term> <listitem> <para> How long should nss_sss cache enumerations @@ -323,7 +257,7 @@ </listitem> </varlistentry> <varlistentry> - <term>EntryCacheTimeout (integer)</term> + <term>entry_cache_timeout (integer)</term> <listitem> <para> How long should nss_sss cache positive cache hits @@ -336,7 +270,7 @@ </listitem> </varlistentry> <varlistentry> - <term>EntryCacheNoWaitRefreshTimeout (integer)</term> + <term>entry_cache_nowait_timeout (integer)</term> <listitem> <para> How long should nss_sss return cached entries before @@ -349,7 +283,7 @@ </listitem> </varlistentry> <varlistentry> - <term>EntryNegativeTimeout (integer)</term> + <term>entry_negative_timeout (integer)</term> <listitem> <para> How long should nss_sss cache negative cache hits @@ -362,17 +296,20 @@ </listitem> </varlistentry> <varlistentry> - <term>filterUsers, filterGroups (string)</term> + <term>filter_users, filter_groups (string)</term> <listitem> <para> Exclude certain users from being fetched from the sss NSS database. This is particulary useful for system - accounts like root. + accounts. + </para> + <para> + Default: root </para> </listitem> </varlistentry> <varlistentry> - <term>filterUsersInGroups (bool)</term> + <term>filter_users_in_groups (bool)</term> <listitem> <para> If you want filtered user still be group members @@ -392,17 +329,17 @@ <para> These configuration options can be present in a domain configuration section, that is, in a section called - <quote>[domains/<replaceable>NAME</replaceable>]</quote> + <quote>[domain/<replaceable>NAME</replaceable>]</quote> <variablelist> <varlistentry> - <term>minId,maxId (integer)</term> + <term>min_id,max_id (integer)</term> <listitem> <para> UID limits for the domain. If a domain contains entry that is outside these limits, it is ignored </para> <para> - Default: 0 (no limit) + Default: 1000 for min_id, 0 (no limit) for max_id </para> </listitem> </varlistentry> @@ -422,7 +359,7 @@ </varlistentry> <varlistentry> - <term>magicPrivateGroups (bool)</term> + <term>magic_private_groups (bool)</term> <listitem> <para> By using the Magic Private Groups option, you @@ -482,7 +419,7 @@ </varlistentry> <varlistentry> - <term>cache-credentials (bool)</term> + <term>cache_credentials (bool)</term> <listitem> <para> Determines if user credentials are also cached @@ -495,7 +432,7 @@ </varlistentry> <varlistentry> - <term>store-legacy-passwords (bool)</term> + <term>store_legacy_passwords (bool)</term> <listitem> <para> Whether to also store passwords in a legacy domain @@ -507,10 +444,11 @@ </varlistentry> <varlistentry> - <term>provider (string)</term> + <term>id_provider (string)</term> <listitem> <para> - The Data Provider backend to use for this domain. + The Data Provider identity backend to use for this + domain. </para> <para> Supported backends: @@ -528,7 +466,7 @@ </varlistentry> <varlistentry> - <term>useFullyQualifiedNames (bool)</term> + <term>use_fully_qualified_names (bool)</term> <listitem> <para> If set to TRUE, all requests to this domain @@ -544,11 +482,11 @@ </listitem> </varlistentry> <varlistentry> - <term>auth-module (string)</term> + <term>auth_provider (string)</term> <listitem> <para> - The authentication module used for the domain. - Supported auth modules are: + The authentication provider used for the domain. + Supported auth providers are: </para> <para> <quote>ldap</quote> for native LDAP authentication. See @@ -577,7 +515,7 @@ <variablelist> <varlistentry> - <term>pam-target (string)</term> + <term>proxy_pam_target (string)</term> <listitem> <para> The proxy target PAM proxies to. @@ -589,7 +527,7 @@ </varlistentry> <varlistentry> - <term>libName (string)</term> + <term>proxy_lib_name (string)</term> <listitem> <para> The name of the NSS library to use in proxy @@ -602,6 +540,44 @@ </varlistentry> </variablelist> </para> + + <refsect2 id='local_domain'> + <title>The local domain section</title> + <para> + This section contains settings for domain that stores users and + groups in SSSD native database, that is, a domain that uses + <replaceable>id_provider=local</replaceable>. + </para> + <variablelist> + <title>Section parameters</title> + <varlistentry> + <term>default_shell (string)</term> + <listitem> + <para> + The default shell for users created + with SSSD userspace tools. + </para> + <para> + Default: <filename>/bin/bash</filename> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>base_directory (string)</term> + <listitem> + <para> + The tools append the login name to + <replaceable>base_directory</replaceable> and + use that as the home directory. + </para> + <para> + Default: <filename>/home</filename> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> + </refsect1> <refsect1 id='example'> @@ -611,39 +587,26 @@ not describe configuration of the domains themselves - refer to documentation on configuring domains for more details. <programlisting> -[services] -description = Local Service Configuration -activeServices = nss, pam -reconnection_retries = 3 - -[services/nss] -description = NSS Responder Configuration -filterGroups = root -filterUsers = root -debug-level = 4 - -[services/dp] -description = Data Provider Configuration -debug-level = 4 +[sssd] +domains = LOCAL +services = nss, dp, pam +config_file_version = 2 +sbus_timeout = 30 -[services/pam] -description = PAM Responder Configuration +[nss] +filter_groups = root +filter_users = root -[services/monitor] -description = Service Monitor Configuration +[pam] -[domains] -description = Domains served by SSSD -domains = LOCAL +[dp] -[domains/LOCAL] -description = LOCAL Users domain -enumerate = TRUE -minId = 5000 -maxId = 30000 -legacy = FALSE -magicPrivateGroups = TRUE -provider = local +[domain/LOCAL] +id_provider = local +min_id = 1000 +max_id = 5000 +default_shell = /bin/ksh +enumerate = true </programlisting> </para> </refsect1> |