summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/man/sssd-ldap.5.xml125
-rw-r--r--src/man/sssd.conf.5.xml40
2 files changed, 131 insertions, 34 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index d20d84bc..d7e29e22 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1923,27 +1923,136 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
</varlistentry>
<varlistentry>
- <term>ldap_sudo_refresh_enabled (boolean)</term>
+ <term>ldap_sudo_full_refresh_interval (integer)</term>
<listitem>
<para>
- Enables periodical download of all sudo rules.
- The cache is purged before each update.
+ How many seconds SSSD will wait between executing
+ a full refresh of sudo rules (which downloads all
+ rules that are stored on the server).
</para>
<para>
- Default: false
+ The value must be greater than
+ <emphasis>ldap_sudo_smart_refresh_interval
+ </emphasis>
+ </para>
+ <para>
+ Default: 21600 (6 hours)
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>ldap_sudo_refresh_timeout (integer)</term>
+ <term>ldap_sudo_smart_refresh_interval (integer)</term>
<listitem>
<para>
- How many seconds SSSD has to wait before refreshing
- its cache of sudo rules.
+ How many seconds SSSD has to wait before executing
+ a smart refresh of sudo rules (which downloads all
+ rules that have USN higher than the highest USN of
+ cached rules).
</para>
<para>
- Default: 300
+ If USN attributes are not supported by the server,
+ the modifyTimestamp attribute is used instead.
+ </para>
+ <para>
+ Default: 900 (15 minutes)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_sudo_use_host_filter (boolean)</term>
+ <listitem>
+ <para>
+ If true, SSSD will download only rules that are
+ applicable to this machine (using the IPv4 or IPv6
+ host/network addresses and hostnames).
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_sudo_hostnames (string)</term>
+ <listitem>
+ <para>
+ Space separated list of hostnames or fully qualified
+ domain names that should be used to filter
+ the rules.
+ </para>
+ <para>
+ <emphasis>Note:</emphasis> autoconfiguration is not
+ yet supported, therefore if this option is left
+ empty then hostname matching will be disabled.
+ </para>
+ <para>
+ If <emphasis>ldap_sudo_use_host_filter</emphasis>
+ is <emphasis>false</emphasis> then this option
+ has no effect.
+ </para>
+ <para>
+ Default: not specified
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_sudo_ip (string)</term>
+ <listitem>
+ <para>
+ Space separated list of IPv4 or IPv6
+ host/network addresses that should be used to filter
+ the rules.
+ </para>
+ <para>
+ If this option is empty, SSSD will try to
+ discover the addresses automatically.
+ </para>
+ <para>
+ If <emphasis>ldap_sudo_use_host_filter</emphasis>
+ is <emphasis>false</emphasis> then this option
+ has no effect.
+ </para>
+ <para>
+ Default: not specified
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_sudo_include_netgroups (boolean)</term>
+ <listitem>
+ <para>
+ If true then SSSD will download every rule that
+ contains a netgroup in sudoHost attribute.
+ </para>
+ <para>
+ If <emphasis>ldap_sudo_use_host_filter</emphasis>
+ is <emphasis>false</emphasis> then this option
+ has no effect.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_sudo_include_regexp (boolean)</term>
+ <listitem>
+ <para>
+ If true then SSSD will download every rule that
+ contains a regular expression in sudoHost attribute.
+ </para>
+ <para>
+ If <emphasis>ldap_sudo_use_host_filter</emphasis>
+ is <emphasis>false</emphasis> then this option
+ has no effect.
+ </para>
+ <para>
+ Default: true
</para>
</listitem>
</varlistentry>
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e6a1bbcd..bb9b9129 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -721,31 +721,6 @@
</para>
<variablelist>
<varlistentry>
- <term>sudo_cache_timeout (integer)</term>
- <listitem>
- <para>
- For any sudo request that comes while SSSD is
- online, the SSSD will attempt to update the cached
- rules in order to ensure that sudo has the latest
- ruleset.
- </para>
- <para>
- The user may, however, run a couple of sudo commands
- successively, which would trigger multiple LDAP requests.
- In order to speed up this use-case, the sudo service
- maintains an in-memory cache that would be used for
- performing fast replies.
- </para>
- <para>
- This option controls how long (in seconds) can the sudo
- service cache rules for a user.
- </para>
- <para>
- Default: 180
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>sudo_timed (bool)</term>
<listitem>
<para>
@@ -985,7 +960,20 @@
</para>
</listitem>
</varlistentry>
-
+
+ <varlistentry condition="with_sudo">
+ <term>entry_cache_sudo_timeout (integer)</term>
+ <listitem>
+ <para>
+ How many seconds should sudo consider
+ rules valid before asking the backend again
+ </para>
+ <para>
+ Default: entry_cache_timeout
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>cache_credentials (bool)</term>
<listitem>