"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/man/sssd.conf.5.xml" between
sssd-2.4.1.tar.gz and sssd-2.4.2.tar.gz

About: SSSD is a system daemon to manage identity, authentication and authorization for centrally-managed systems. It provides several interfaces, including NSS and PAM modules or a D-Bus interface.

sssd.conf.5.xml  (sssd-2.4.1):sssd.conf.5.xml  (sssd-2.4.2)
skipping to change at line 1774 skipping to change at line 1774
Note: This option can also be set per-domain which Note: This option can also be set per-domain which
overwrites the value in [pam] section. It can also overwrites the value in [pam] section. It can also
be set for trusted domain which overwrites the value be set for trusted domain which overwrites the value
in the domain section. in the domain section.
</para> </para>
<para> <para>
Default: True Default: True
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>pam_gssapi_indicators_map</term>
<listitem>
<para>
Comma separated list of authentication indicators req
uired
to be present in a Kerberos ticket to access a PAM se
rvice
that is allowed to try GSSAPI authentication using
pam_sss_gss.so module.
</para>
<para>
Each element of the list can be either an authenticat
ion indicator
name or a pair <quote>service:indicator</quote>. Indi
cators not
prefixed with the PAM service name will be required t
o access any
PAM service configured to be used with
<option>pam_gssapi_services</option>. A resulting lis
t of indicators
per PAM service is then checked against indicators in
the Kerberos
ticket during authentication by pam_sss_gss.so. Any i
ndicator from the
ticket that matches the resulting list of indicators
for the PAM service
would grant access. If none of the indicators in the
list match, access
will be denied. If the resulting list of indicators f
or the PAM service
is empty, the check will not prevent the access.
</para>
<para>
To disable GSSAPI authentication indicator check, set
this option
to <quote>-</quote> (dash). To disable the check for
a specific PAM
service, add <quote>service:-</quote>.
</para>
<para>
Note: This option can also be set per-domain which
overwrites the value in [pam] section. It can also
be set for trusted domain which overwrites the value
in the domain section.
</para>
<para>
Following authentication indicators are supported by
IPA Kerberos deployments:
<itemizedlist>
<listitem>
<para>pkinit -- pre-authentication using X.5
09 certificates -- whether stored in files or on smart cards.</para>
</listitem>
<listitem>
<para>hardened -- SPAKE pre-authentication o
r any pre-authentication wrapped in a FAST channel.</para>
</listitem>
<listitem>
<para>radius -- pre-authentication with the
help of a RADIUS server.</para>
</listitem>
<listitem>
<para>otp -- pre-authentication using integr
ated two-factor authentication (2FA or one-time password, OTP) in IPA.</para>
</listitem>
</itemizedlist>
</para>
<para>
Example: to require access to SUDO services only
for users which obtained their Kerberos tickets
with a X.509 certificate pre-authentication
(PKINIT), set
<programlisting>
pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</programlisting>
</para>
<para>
Default: not set (use of authentication indicators i
s not required)
</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2 id='SUDO' condition="with_sudo"> <refsect2 id='SUDO' condition="with_sudo">
<title>SUDO configuration options</title> <title>SUDO configuration options</title>
<para> <para>
These options can be used to configure the sudo service. These options can be used to configure the sudo service.
The detailed instructions for configuration of The detailed instructions for configuration of
<citerefentry> <citerefentry>
<refentrytitle>sudo</refentrytitle> <refentrytitle>sudo</refentrytitle>
 End of changes. 1 change blocks. 
0 lines changed or deleted 83 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)