"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/man/sv/sssd.conf.5.xml" between
sssd-2.4.1.tar.gz and sssd-2.4.2.tar.gz

About: SSSD is a system daemon to manage identity, authentication and authorization for centrally-managed systems. It provides several interfaces, including NSS and PAM modules or a D-Bus interface.

sssd.conf.5.xml  (sssd-2.4.1):sssd.conf.5.xml  (sssd-2.4.2)
skipping to change at line 1548 skipping to change at line 1548
<para> <para>
Note: This option can also be set per-domain which o verwrites the value in Note: This option can also be set per-domain which o verwrites the value in
[pam] section. It can also be set for trusted domain which overwrites the [pam] section. It can also be set for trusted domain which overwrites the
value in the domain section. value in the domain section.
</para> </para>
<para> <para>
Standard: True Standard: True
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>pam_gssapi_indicators_map</term>
<listitem>
<para>
Comma separated list of authentication indicators req
uired to be present in
a Kerberos ticket to access a PAM service that is allowed to try GSSAPI
authentication using pam_sss_gss.so module.
</para>
<para>
Each element of the list can be either an authenticat
ion indicator name or a
pair <quote>service:indicator</quote>. Indicators not prefixed with the PAM
service name will be required to access any PAM service configured to be
used with <option>pam_gssapi_services</option>. A resulting list of
indicators per PAM service is then checked against indicators in the
Kerberos ticket during authentication by pam_sss_gss.so. Any indicator from
the ticket that matches the resulting list of indicators for the PAM service
would grant access. If none of the indicators in the list match, access will
be denied. If the resulting list of indicators for the PAM service is empty,
the check will not prevent the access.
</para>
<para>
To disable GSSAPI authentication indicator check, set
this option to
<quote>-</quote> (dash). To disable the check for a specific PAM service,
add <quote>service:-</quote>.
</para>
<para>
Note: This option can also be set per-domain which ov
erwrites the value in
[pam] section. It can also be set for trusted domain which overwrites the
value in the domain section.
</para>
<para>
Following authentication indicators are supported by
IPA Kerberos
deployments:
<itemizedlist>
<listitem>
<para>pkinit -- pre-authentication using X.5
09 certificates -- whether stored in
files or on smart cards.</para>
</listitem>
<listitem>
<para>hardened -- SPAKE pre-authentication o
r any pre-authentication wrapped in a
FAST channel.</para>
</listitem>
<listitem>
<para>radius -- pre-authentication with the
help of a RADIUS server.</para>
</listitem>
<listitem>
<para>otp -- pre-authentication using integr
ated two-factor authentication (2FA or
one-time password, OTP) in IPA.</para>
</listitem>
</itemizedlist>
</para>
<para>
Example: to require access to SUDO services only for
users which obtained
their Kerberos tickets with a X.509 certificate pre-authentication (PKINIT),
set <programlisting>
pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</programlisting>
</para>
<para>
Default: not set (use of authentication indicators i
s not required)
</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2 id='SUDO' condition="with_sudo"> <refsect2 id='SUDO' condition="with_sudo">
<title>SUDO-konfigurationsalternativ</title> <title>SUDO-konfigurationsalternativ</title>
<para> <para>
Dessa alternativ kan användas för att konfigurera tjänsten sudo. De Dessa alternativ kan användas för att konfigurera tjänsten sudo. De
detaljerade instruktionerna för konfiguration av <citerefentry> detaljerade instruktionerna för konfiguration av <citerefentry>
<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> <refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>
för att fungera med <citerefentry> <refentrytitle>sssd</refentrytitle> för att fungera med <citerefentry> <refentrytitle>sssd</refentrytitle>
 End of changes. 1 change blocks. 
0 lines changed or deleted 74 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)