"Fossies" - the Fresh Open Source Software Archive

Member "sssd-2.4.2/src/config/SSSDConfig/sssdoptions.py" (19 Feb 2021, 42216 Bytes) of package /linux/misc/sssd-2.4.2.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "sssdoptions.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.4.1_vs_2.4.2.

    1 import sys
    2 import gettext
    3 
    4 PACKAGE = 'sss_daemon'
    5 LOCALEDIR = '/usr/share/locale'
    6 
    7 translation = gettext.translation(PACKAGE, LOCALEDIR, fallback=True)
    8 if sys.version_info[0] > 2:
    9     _ = translation.gettext
   10 else:
   11     _ = translation.ugettext
   12 
   13 
   14 class SSSDOptions(object):
   15     def __init__(self):
   16         pass
   17 
   18     option_strings = {
   19         # [service]
   20         'debug': _('Set the verbosity of the debug logging'),
   21         'debug_level': _('Set the verbosity of the debug logging'),
   22         'debug_timestamps': _('Include timestamps in debug logs'),
   23         'debug_microseconds': _('Include microseconds in timestamps in debug logs'),
   24         'debug_to_files': _('Write debug messages to logfiles'),
   25         'timeout': _('Watchdog timeout before restarting service'),
   26         'command': _('Command to start service'),
   27         'reconnection_retries': _('Number of times to attempt connection to Data Providers'),
   28         'fd_limit': _('The number of file descriptors that may be opened by this responder'),
   29         'client_idle_timeout': _('Idle time before automatic disconnection of a client'),
   30         'responder_idle_timeout': _('Idle time before automatic shutdown of the responder'),
   31         'cache_first': _('Always query all the caches before querying the Data Providers'),
   32         'offline_timeout': _('When SSSD switches to offline mode the amount of time before it tries to go back online '
   33                              'will increase based upon the time spent disconnected. This value is in seconds and '
   34                              'calculated by the following: offline_timeout + random_offset.'),
   35 
   36         # [sssd]
   37         'config_file_version': _(
   38             'Indicates what is the syntax of the config file. SSSD 0.6.0 and later use version 2.'),
   39         'services': _('SSSD Services to start'),
   40         'domains': _('SSSD Domains to start'),
   41         'sbus_timeout': _('Timeout for messages sent over the SBUS'),
   42         're_expression': _('Regex to parse username and domain'),
   43         'full_name_format': _('Printf-compatible format for displaying fully-qualified names'),
   44         'krb5_rcache_dir': _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
   45         'default_domain_suffix': _('Domain to add to names without a domain component.'),
   46         'user': _('The user to drop privileges to'),
   47         'certificate_verification': _('Tune certificate verification'),
   48         'override_space': _('All spaces in group or user names will be replaced with this character'),
   49         'disable_netlink': _('Tune sssd to honor or ignore netlink state changes'),
   50         'enable_files_domain': _('Enable or disable the implicit files domain'),
   51         'domain_resolution_order': _('A specific order of the domains to be looked up'),
   52         'monitor_resolv_conf': _('Controls if SSSD should monitor the state of resolv.conf to identify when it needs '
   53                                  'to update its internal DNS resolver.'),
   54         'try_inotify': _('SSSD monitors the state of resolv.conf to identify when it needs to update its internal DNS '
   55                          'resolver. By default, we will attempt to use inotify for this, and will fall back to '
   56                          'polling resolv.conf every five seconds if inotify cannot be used.'),
   57 
   58         # [nss]
   59         'enum_cache_timeout': _('Enumeration cache timeout length (seconds)'),
   60         'entry_cache_no_wait_timeout': _('Entry cache background update timeout length (seconds)'),
   61         'entry_negative_timeout': _('Negative cache timeout length (seconds)'),
   62         'local_negative_timeout': _('Files negative cache timeout length (seconds)'),
   63         'filter_users': _('Users that SSSD should explicitly ignore'),
   64         'filter_groups': _('Groups that SSSD should explicitly ignore'),
   65         'filter_users_in_groups': _('Should filtered users appear in groups'),
   66         'pwfield': _('The value of the password field the NSS provider should return'),
   67         'override_homedir': _('Override homedir value from the identity provider with this value'),
   68         'fallback_homedir': _('Substitute empty homedir value from the identity provider with this value'),
   69         'override_shell': _('Override shell value from the identity provider with this value'),
   70         'allowed_shells': _('The list of shells users are allowed to log in with'),
   71         'vetoed_shells': _('The list of shells that will be vetoed, and replaced with the fallback shell'),
   72         'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
   73         'default_shell': _('Shell to use if the provider does not list one'),
   74         'memcache_timeout': _('How long will be in-memory cache records valid'),
   75         'memcache_size_passwd': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for passwd requests'),
   76         'memcache_size_group': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for group requests'),
   77         'memcache_size_initgroups': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for initgroups requests'),
   78         'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
   79                                'if the template contains the format string %H.'),
   80         'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
   81                                  'valid.'),
   82         'entry_cache_nowait_percentage': _('The entry cache can be set to automatically update entries in the '
   83                                            'background if they are requested beyond a percentage of the '
   84                                            'entry_cache_timeout value for the domain.'),
   85 
   86         # [pam]
   87         'offline_credentials_expiration': _('How long to allow cached logins between online logins (days)'),
   88         'offline_failed_login_attempts': _('How many failed logins attempts are allowed when offline'),
   89         'offline_failed_login_delay': _(
   90             'How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
   91         'pam_verbosity': _('What kind of messages are displayed to the user during authentication'),
   92         'pam_response_filter': _('Filter PAM responses sent to the pam_sss'),
   93         'pam_id_timeout': _('How many seconds to keep identity information cached for PAM requests'),
   94         'pam_pwd_expiration_warning': _('How many days before password expiration a warning should be displayed'),
   95         'pam_trusted_users': _('List of trusted uids or user\'s name'),
   96         'pam_public_domains': _('List of domains accessible even for untrusted users.'),
   97         'pam_account_expired_message': _('Message printed when user account is expired.'),
   98         'pam_account_locked_message': _('Message printed when user account is locked.'),
   99         'pam_cert_auth': _('Allow certificate based/Smartcard authentication.'),
  100         'pam_cert_db_path': _('Path to certificate database with PKCS#11 modules.'),
  101         'p11_child_timeout': _('How many seconds will pam_sss wait for p11_child to finish'),
  102         'pam_app_services': _('Which PAM services are permitted to contact application domains'),
  103         'pam_p11_allowed_services': _('Allowed services for using smartcards'),
  104         'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
  105         'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
  106         'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
  107         'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
  108         'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
  109         'pam_gssapi_indicators_map' : _('List of pairs <PAM service>:<authentication indicator> that '
  110                                         'must be enforced for PAM access with GSSAPI authentication'),
  111 
  112         # [sudo]
  113         'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
  114         'sudo_inverse_order': _('If true, SSSD will switch back to lower-wins ordering logic'),
  115         'sudo_threshold': _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh '
  116                             'is performed.'),
  117 
  118         # [autofs]
  119         'autofs_negative_timeout': _('Negative cache timeout length (seconds)'),
  120 
  121         # [ssh]
  122         'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'),
  123         'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys '
  124                                      'were requested'),
  125         'ca_db': _('Path to storage of trusted CA certificates'),
  126         'ssh_use_certificate_keys': _('Allow to generate ssh-keys from certificates'),
  127         'ssh_use_certificate_matching_rules': _('Use the following matching rules to filter the certificates for '
  128                                                 'ssh-key generation'),
  129 
  130         # [pac]
  131         'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'),
  132         'pac_lifetime': _('How long the PAC data is considered valid'),
  133 
  134         # [ifp]
  135         'user_attributes': _('List of user attributes the InfoPipe is allowed to publish'),
  136 
  137         # [secrets]
  138         'provider': _('The provider where the secrets will be stored in'),
  139         'containers_nest_level': _('The maximum allowed number of nested containers'),
  140         'max_secrets': _('The maximum number of secrets that can be stored'),
  141         'max_uid_secrets': _('The maximum number of secrets that can be stored per UID'),
  142         'max_payload_size': _('The maximum payload size of a secret in kilobytes'),
  143         # secrets - proxy
  144         'proxy_url': _('The URL Custodia server is listening on'),
  145         'auth_type': _('The method to use when authenticating to a Custodia server'),
  146         'auth_header_name': _('The name of the headers that will be added into a HTTP request with the value defined '
  147                               'in auth_header_value'),
  148         'auth_header_value': _('The value sssd-secrets would use for auth_header_name'),
  149         'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'),
  150         'username': _('The username to use when authenticating to a Custodia server using basic_auth'),
  151         'password': _('The password to use when authenticating to a Custodia server using basic_auth'),
  152         'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'),
  153         'verify_host': _('If false peer\'s certificate may contain different hostname than proxy_url when https '
  154                          'protocol is used'),
  155         'capath': _('Path to directory where certificate authority certificates are stored'),
  156         'cacert': _('Path to file containing server\'s CA certificate'),
  157         'cert': _('Path to file containing client\'s certificate'),
  158         'key': _('Path to file containing client\'s private key'),
  159 
  160         # [session_recording]
  161         'scope': _('One of the following strings specifying the scope of session recording: none - No users are '
  162                    'recorded. some - Users/groups specified by users and groups options are recorded. all - All users '
  163                    'are recorded.'),
  164         'users': _('A comma-separated list of users which should have session recording enabled. Matches user names '
  165                    'as returned by NSS. I.e. after the possible space replacement, case changes, etc.'),
  166         'groups': _('A comma-separated list of groups, members of which should have session recording enabled. '
  167                     'Matches group names as returned by NSS. I.e. after the possible space replacement, case changes, '
  168                     'etc.'),
  169         'exclude_users': _('A comma-separated list of users to be excluded from recording, only when scope=all'),
  170         'exclude_groups': _('A comma-separated list of groups, members of which should be excluded from recording, '
  171                             ' only when scope=all. '),
  172 
  173         # [provider]
  174         'id_provider': _('Identity provider'),
  175         'auth_provider': _('Authentication provider'),
  176         'access_provider': _('Access control provider'),
  177         'chpass_provider': _('Password change provider'),
  178         'sudo_provider': _('SUDO provider'),
  179         'autofs_provider': _('Autofs provider'),
  180         'hostid_provider': _('Host identity provider'),
  181         'selinux_provider': _('SELinux provider'),
  182         'session_provider': _('Session management provider'),
  183         'resolver_provider' : _('Resolver provider'),
  184 
  185         # [domain]
  186         'domain_type': _('Whether the domain is usable by the OS or by applications'),
  187         'enabled': _('Enable or disable the domain'),
  188         'min_id': _('Minimum user ID'),
  189         'max_id': _('Maximum user ID'),
  190         'enumerate': _('Enable enumerating all users/groups'),
  191         'cache_credentials': _('Cache credentials for offline login'),
  192         'use_fully_qualified_names': _('Display users/groups in fully-qualified form'),
  193         'ignore_group_members': _('Don\'t include group members in group lookups'),
  194         'entry_cache_timeout': _('Entry cache timeout length (seconds)'),
  195         'lookup_family_order': _('Restrict or prefer a specific address family when performing DNS lookups'),
  196         'account_cache_expiration': _('How long to keep cached entries after last successful login (days)'),
  197         'dns_resolver_server_timeout': _('How long should SSSD talk to single DNS server before trying next server ('
  198                                          'miliseconds)'),
  199         'dns_resolver_op_timeout': _('How long should keep trying to resolve single DNS query (seconds)'),
  200         'dns_resolver_timeout': _('How long to wait for replies from DNS when resolving servers (seconds)'),
  201         'dns_discovery_domain': _('The domain part of service discovery DNS query'),
  202         'override_gid': _('Override GID value from the identity provider with this value'),
  203         'case_sensitive': _('Treat usernames as case sensitive'),
  204         'entry_cache_user_timeout': _('Entry cache timeout length (seconds)'),
  205         'entry_cache_group_timeout': _('Entry cache timeout length (seconds)'),
  206         'entry_cache_netgroup_timeout': _('Entry cache timeout length (seconds)'),
  207         'entry_cache_service_timeout': _('Entry cache timeout length (seconds)'),
  208         'entry_cache_autofs_timeout': _('Entry cache timeout length (seconds)'),
  209         'entry_cache_sudo_timeout': _('Entry cache timeout length (seconds)'),
  210         'entry_cache_resolver_timeout' : _('Entry cache timeout length (seconds)'),
  211         'refresh_expired_interval': _('How often should expired entries be refreshed in background'),
  212         'dyndns_update': _("Whether to automatically update the client's DNS entry"),
  213         'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
  214         'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
  215         'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"),
  216         'dyndns_update_ptr': _("Whether the provider should explicitly update the PTR record as well"),
  217         'dyndns_force_tcp': _("Whether the nsupdate utility should default to using TCP"),
  218         'dyndns_auth': _("What kind of authentication should be used to perform the DNS update"),
  219         'dyndns_server': _("Override the DNS server used to perform the DNS update"),
  220         'subdomain_enumerate': _('Control enumeration of trusted domains'),
  221         'subdomain_refresh_interval': _('How often should subdomains list be refreshed'),
  222         'subdomain_inherit': _('List of options that should be inherited into a subdomain'),
  223         'subdomain_homedir': _('Default subdomain homedir value'),
  224         'cached_auth_timeout': _('How long can cached credentials be used for cached authentication'),
  225         'auto_private_groups': _('Whether to automatically create private groups for users'),
  226         'pwd_expiration_warning': _('Display a warning N days before the password expires.'),
  227         'realmd_tags': _('Various tags stored by the realmd configuration service for this domain.'),
  228         'subdomains_provider': _('The provider which should handle fetching of subdomains. This value should be '
  229                                  'always the same as id_provider.'),
  230         'entry_cache_ssh_host_timeout': _('How many seconds to keep a host ssh key after refresh. IE how long to '
  231                                           'cache the host key for.'),
  232         'cache_credentials_minimal_first_factor_length': _('If 2-Factor-Authentication (2FA) is used and credentials '
  233                                                            'should be saved this value determines the minimal length '
  234                                                            'the first authentication factor (long term password) must '
  235                                                            'have to be saved as SHA512 hash into the cache.'),
  236 
  237         # [provider/ipa]
  238         'ipa_domain': _('IPA domain'),
  239         'ipa_server': _('IPA server address'),
  240         'ipa_backup_server': _('Address of backup IPA server'),
  241         'ipa_hostname': _('IPA client hostname'),
  242         'ipa_dyndns_update': _("Whether to automatically update the client's DNS entry in FreeIPA"),
  243         'ipa_dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
  244         'ipa_dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
  245         'ipa_hbac_search_base': _("Search base for HBAC related objects"),
  246         'ipa_hbac_refresh': _("The amount of time between lookups of the HBAC rules against the IPA server"),
  247         'ipa_selinux_refresh': _("The amount of time in seconds between lookups of the SELinux maps against the IPA "
  248                                  "server"),
  249         'ipa_hbac_support_srchost': _("If set to false, host argument given by PAM will be ignored"),
  250         'ipa_automount_location': _("The automounter location this IPA client is using"),
  251         'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"),
  252         'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"),
  253         'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"),
  254         'ipa_views_search_base': _("Search base for view containers"),
  255         'ipa_view_class': _("Objectclass for view containers"),
  256         'ipa_view_name': _("Attribute with the name of the view"),
  257         'ipa_override_object_class': _("Objectclass for override objects"),
  258         'ipa_anchor_uuid': _("Attribute with the reference to the original object"),
  259         'ipa_user_override_object_class': _("Objectclass for user override objects"),
  260         'ipa_group_override_object_class': _("Objectclass for group override objects"),
  261         'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"),
  262         'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules "
  263                                      "against the IPA server"),
  264         'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles "
  265                                               "rules against the IPA server when the last request did not find any "
  266                                               "rule"),
  267         'ipa_host_fqdn': _('The LDAP attribute that contains FQDN of the host.'),
  268         'ipa_host_object_class': _('The object class of a host entry in LDAP.'),
  269         'ipa_host_search_base': _('Use the given string as search base for host objects.'),
  270         'ipa_host_ssh_public_key': _('The LDAP attribute that contains the host\'s SSH public keys.'),
  271         'ipa_netgroup_domain': _('The LDAP attribute that contains NIS domain name of the netgroup.'),
  272         'ipa_netgroup_member': _('The LDAP attribute that contains the names of the netgroup\'s members.'),
  273         'ipa_netgroup_member_ext_host': _('The LDAP attribute that lists FQDNs of hosts and host groups that are '
  274                                           'members of the netgroup.'),
  275         'ipa_netgroup_member_host': _('The LDAP attribute that lists hosts and host groups that are direct members of '
  276                                       'the netgroup.'),
  277         'ipa_netgroup_member_of': _('The LDAP attribute that lists netgroup\'s memberships.'),
  278         'ipa_netgroup_member_user': _('The LDAP attribute that lists system users and groups that are direct members '
  279                                       'of the netgroup.'),
  280         'ipa_netgroup_name': _('The LDAP attribute that corresponds to the netgroup name.'),
  281         'ipa_netgroup_object_class': _('The object class of a netgroup entry in LDAP.'),
  282         'ipa_netgroup_uuid': _('The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object.'),
  283         'ipa_selinux_usermap_enabled': _('The LDAP attribute that contains whether or not is user map enabled for '
  284                                          'usage.'),
  285         'ipa_selinux_usermap_host_category': _('The LDAP attribute that contains host category such as \'all\'.'),
  286         'ipa_selinux_usermap_member_host': _('The LDAP attribute that contains all hosts / hostgroups this rule match '
  287                                              'against.'),
  288         'ipa_selinux_usermap_member_user': _('The LDAP attribute that contains all users / groups this rule match '
  289                                              'against.'),
  290         'ipa_selinux_usermap_name': _('The LDAP attribute that contains the name of SELinux usermap.'),
  291         'ipa_selinux_usermap_object_class': _('The object class of a host entry in LDAP.'),
  292         'ipa_selinux_usermap_see_also': _('The LDAP attribute that contains DN of HBAC rule which can be used for '
  293                                           'matching instead of memberUser and memberHost.'),
  294         'ipa_selinux_usermap_selinux_user': _('The LDAP attribute that contains SELinux user string itself.'),
  295         'ipa_selinux_usermap_user_category': _('The LDAP attribute that contains user category such as \'all\'.'),
  296         'ipa_selinux_usermap_uuid': _('The LDAP attribute that contains unique ID of the user map.'),
  297         'ipa_server_mode': _('The option denotes that the SSSD is running on IPA server and should perform lookups of '
  298                              'users and groups from trusted domains differently.'),
  299         'ipa_subdomains_search_base': _('Use the given string as search base for trusted domains.'),
  300 
  301         # [provider/ad]
  302         'ad_domain': _('Active Directory domain'),
  303         'ad_enabled_domains': _('Enabled Active Directory domains'),
  304         'ad_server': _('Active Directory server address'),
  305         'ad_backup_server': _('Active Directory backup server address'),
  306         'ad_hostname': _('Active Directory client hostname'),
  307         'ad_enable_dns_sites': _('Enable DNS sites - location based service discovery'),
  308         'ad_access_filter': _('LDAP filter to determine access privileges'),
  309         'ad_enable_gc': _('Whether to use the Global Catalog for lookups'),
  310         'ad_gpo_access_control': _('Operation mode for GPO-based access control'),
  311         'ad_gpo_cache_timeout': _("The amount of time between lookups of the GPO policy files against the AD server"),
  312         'ad_gpo_map_interactive': _('PAM service names that map to the GPO (Deny)InteractiveLogonRight '
  313                                     'policy settings'),
  314         'ad_gpo_map_remote_interactive': _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight '
  315                                            'policy settings'),
  316         'ad_gpo_map_network': _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'),
  317         'ad_gpo_map_batch': _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'),
  318         'ad_gpo_map_service': _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'),
  319         'ad_gpo_map_permit': _('PAM service names for which GPO-based access is always granted'),
  320         'ad_gpo_map_deny': _('PAM service names for which GPO-based access is always denied'),
  321         'ad_gpo_default_right': _('Default logon right (or permit/deny) to use for unmapped PAM service names'),
  322         'ad_site': _('a particular site to be used by the client'),
  323         'ad_maximum_machine_account_password_age': _('Maximum age in days before the machine account password should '
  324                                                      'be renewed'),
  325         'ad_machine_account_password_renewal_opts': _('Option for tuning the machine account renewal task'),
  326         'ad_update_samba_machine_account_password': _('Whether to update the machine account password in the Samba '
  327                                                       'database'),
  328         'ad_use_ldaps': _('Use LDAPS port for LDAP and Global Catalog requests'),
  329         'ad_allow_remote_domain_local_groups' : _('Do not filter domain local groups from other domains'),
  330 
  331         # [provider/krb5]
  332         'krb5_kdcip': _('Kerberos server address'),
  333         'krb5_server': _('Kerberos server address'),
  334         'krb5_backup_server': _('Kerberos backup server address'),
  335         'krb5_realm': _('Kerberos realm'),
  336         'krb5_auth_timeout': _('Authentication timeout'),
  337         'krb5_use_kdcinfo': _('Whether to create kdcinfo files'),
  338         'krb5_confd_path': _('Where to drop krb5 config snippets'),
  339 
  340         # [provider/krb5/auth]
  341         'krb5_ccachedir': _('Directory to store credential caches'),
  342         'krb5_ccname_template': _("Location of the user's credential cache"),
  343         'krb5_keytab': _("Location of the keytab to validate credentials"),
  344         'krb5_validate': _("Enable credential validation"),
  345         'krb5_store_password_if_offline': _("Store password if offline for later online authentication"),
  346         'krb5_renewable_lifetime': _("Renewable lifetime of the TGT"),
  347         'krb5_lifetime': _("Lifetime of the TGT"),
  348         'krb5_renew_interval': _("Time between two checks for renewal"),
  349         'krb5_use_fast': _("Enables FAST"),
  350         'krb5_fast_principal': _("Selects the principal to use for FAST"),
  351         'krb5_canonicalize': _("Enables principal canonicalization"),
  352         'krb5_use_enterprise_principal': _("Enables enterprise principals"),
  353         'krb5_use_subdomain_realm': _("Enables using of subdomains realms for authentication"),
  354         'krb5_map_user': _('A mapping from user names to Kerberos principal names'),
  355 
  356         # [provider/krb5/chpass]
  357         'krb5_kpasswd': _('Server where the change password service is running if not on the KDC'),
  358         'krb5_backup_kpasswd': _('Server where the change password service is running if not on the KDC'),
  359 
  360         # [provider/ldap]
  361         'ldap_uri': _('ldap_uri, The URI of the LDAP server'),
  362         'ldap_backup_uri': _('ldap_backup_uri, The URI of the LDAP server'),
  363         'ldap_search_base': _('The default base DN'),
  364         'ldap_schema': _('The Schema Type in use on the LDAP server, rfc2307'),
  365         'ldap_pwmodify_mode': _('Mode used to change user password'),
  366         'ldap_default_bind_dn': _('The default bind DN'),
  367         'ldap_default_authtok_type': _('The type of the authentication token of the default bind DN'),
  368         'ldap_default_authtok': _('The authentication token of the default bind DN'),
  369         'ldap_network_timeout': _('Length of time to attempt connection'),
  370         'ldap_opt_timeout': _('Length of time to attempt synchronous LDAP operations'),
  371         'ldap_offline_timeout': _('Length of time between attempts to reconnect while offline'),
  372         'ldap_force_upper_case_realm': _('Use only the upper case for realm names'),
  373         'ldap_tls_cacert': _('File that contains CA certificates'),
  374         'ldap_tls_cacertdir': _('Path to CA certificate directory'),
  375         'ldap_tls_cert': _('File that contains the client certificate'),
  376         'ldap_tls_key': _('File that contains the client key'),
  377         'ldap_tls_cipher_suite': _('List of possible ciphers suites'),
  378         'ldap_tls_reqcert': _('Require TLS certificate verification'),
  379         'ldap_sasl_mech': _('Specify the sasl mechanism to use'),
  380         'ldap_sasl_authid': _('Specify the sasl authorization id to use'),
  381         'ldap_sasl_realm': _('Specify the sasl authorization realm to use'),
  382         'ldap_sasl_minssf': _('Specify the minimal SSF for LDAP sasl authorization'),
  383         'ldap_sasl_maxssf': _('Specify the maximal SSF for LDAP sasl authorization'),
  384         'ldap_krb5_keytab': _('Kerberos service keytab'),
  385         'ldap_krb5_init_creds': _('Use Kerberos auth for LDAP connection'),
  386         'ldap_referrals': _('Follow LDAP referrals'),
  387         'ldap_krb5_ticket_lifetime': _('Lifetime of TGT for LDAP connection'),
  388         'ldap_deref': _('How to dereference aliases'),
  389         'ldap_dns_service_name': _('Service name for DNS service lookups'),
  390         'ldap_page_size': _('The number of records to retrieve in a single LDAP query'),
  391         'ldap_deref_threshold': _('The number of members that must be missing to trigger a full deref'),
  392         'ldap_sasl_canonicalize': _('Whether the LDAP library should perform a reverse lookup to canonicalize the '
  393                                     'host name during a SASL bind'),
  394         'ldap_rfc2307_fallback_to_local_users': _('Allows to retain local users as members of an LDAP group for '
  395                                                   'servers that use the RFC2307 schema.'),
  396 
  397         'ldap_entry_usn': _('entryUSN attribute'),
  398         'ldap_rootdse_last_usn': _('lastUSN attribute'),
  399 
  400         'ldap_connection_expiration_timeout': _('How long to retain a connection to the LDAP server before '
  401                                                 'disconnecting'),
  402 
  403         'ldap_disable_paging': _('Disable the LDAP paging control'),
  404         'ldap_disable_range_retrieval': _('Disable Active Directory range retrieval'),
  405 
  406         # [provider/ldap/id]
  407         'ldap_search_timeout': _('Length of time to wait for a search request'),
  408         'ldap_enumeration_search_timeout': _('Length of time to wait for a enumeration request'),
  409         'ldap_enumeration_refresh_timeout': _('Length of time between enumeration updates'),
  410         'ldap_purge_cache_timeout': _('Length of time between cache cleanups'),
  411         'ldap_id_use_start_tls': _('Require TLS for ID lookups'),
  412         'ldap_id_mapping': _('Use ID-mapping of objectSID instead of pre-set IDs'),
  413         'ldap_user_search_base': _('Base DN for user lookups'),
  414         'ldap_user_search_scope': _('Scope of user lookups'),
  415         'ldap_user_search_filter': _('Filter for user lookups'),
  416         'ldap_user_object_class': _('Objectclass for users'),
  417         'ldap_user_name': _('Username attribute'),
  418         'ldap_user_uid_number': _('UID attribute'),
  419         'ldap_user_gid_number': _('Primary GID attribute'),
  420         'ldap_user_gecos': _('GECOS attribute'),
  421         'ldap_user_home_directory': _('Home directory attribute'),
  422         'ldap_user_shell': _('Shell attribute'),
  423         'ldap_user_uuid': _('UUID attribute'),
  424         'ldap_user_objectsid': _("objectSID attribute"),
  425         'ldap_user_primary_group': _('Active Directory primary group attribute for ID-mapping'),
  426         'ldap_user_principal': _('User principal attribute (for Kerberos)'),
  427         'ldap_user_fullname': _('Full Name'),
  428         'ldap_user_member_of': _('memberOf attribute'),
  429         'ldap_user_modify_timestamp': _('Modification time attribute'),
  430         'ldap_user_shadow_last_change': _('shadowLastChange attribute'),
  431         'ldap_user_shadow_min': _('shadowMin attribute'),
  432         'ldap_user_shadow_max': _('shadowMax attribute'),
  433         'ldap_user_shadow_warning': _('shadowWarning attribute'),
  434         'ldap_user_shadow_inactive': _('shadowInactive attribute'),
  435         'ldap_user_shadow_expire': _('shadowExpire attribute'),
  436         'ldap_user_shadow_flag': _('shadowFlag attribute'),
  437         'ldap_user_authorized_service': _('Attribute listing authorized PAM services'),
  438         'ldap_user_authorized_host': _('Attribute listing authorized server hosts'),
  439         'ldap_user_authorized_rhost': _('Attribute listing authorized server rhosts'),
  440         'ldap_user_krb_last_pwd_change': _('krbLastPwdChange attribute'),
  441         'ldap_user_krb_password_expiration': _('krbPasswordExpiration attribute'),
  442         'ldap_pwd_attribute': _('Attribute indicating that server side password policies are active'),
  443         'ldap_user_ad_account_expires': _('accountExpires attribute of AD'),
  444         'ldap_user_ad_user_account_control': _('userAccountControl attribute of AD'),
  445         'ldap_ns_account_lock': _('nsAccountLock attribute'),
  446         'ldap_user_nds_login_disabled': _('loginDisabled attribute of NDS'),
  447         'ldap_user_nds_login_expiration_time': _('loginExpirationTime attribute of NDS'),
  448         'ldap_user_nds_login_allowed_time_map': _('loginAllowedTimeMap attribute of NDS'),
  449         'ldap_user_ssh_public_key': _('SSH public key attribute'),
  450         'ldap_user_auth_type': _('attribute listing allowed authentication types for a user'),
  451         'ldap_user_certificate': _('attribute containing the X509 certificate of the user'),
  452         'ldap_user_email': _('attribute containing the email address of the user'),
  453         'ldap_user_extra_attrs': _('A list of extra attributes to download along with the user entry'),
  454 
  455         'ldap_group_search_base': _('Base DN for group lookups'),
  456         'ldap_group_object_class': _('Objectclass for groups'),
  457         'ldap_group_name': _('Group name'),
  458         'ldap_group_pwd': _('Group password'),
  459         'ldap_group_gid_number': _('GID attribute'),
  460         'ldap_group_member': _('Group member attribute'),
  461         'ldap_group_uuid': _('Group UUID attribute'),
  462         'ldap_group_objectsid': _("objectSID attribute"),
  463         'ldap_group_modify_timestamp': _('Modification time attribute for groups'),
  464         'ldap_group_type': _('Type of the group and other flags'),
  465         'ldap_group_external_member': _('The LDAP group external member attribute'),
  466         'ldap_group_nesting_level': _('Maximum nesting level SSSD will follow'),
  467         'ldap_group_search_filter': _('Filter for group lookups'),
  468         'ldap_group_search_scope': _('Scope of group lookups'),
  469 
  470         'ldap_netgroup_search_base': _('Base DN for netgroup lookups'),
  471         'ldap_netgroup_object_class': _('Objectclass for netgroups'),
  472         'ldap_netgroup_name': _('Netgroup name'),
  473         'ldap_netgroup_member': _('Netgroups members attribute'),
  474         'ldap_netgroup_triple': _('Netgroup triple attribute'),
  475         'ldap_netgroup_modify_timestamp': _('Modification time attribute for netgroups'),
  476 
  477         'ldap_service_search_base': _('Base DN for service lookups'),
  478         'ldap_service_object_class': _('Objectclass for services'),
  479         'ldap_service_name': _('Service name attribute'),
  480         'ldap_service_port': _('Service port attribute'),
  481         'ldap_service_proto': _('Service protocol attribute'),
  482 
  483         'ldap_idmap_range_min': _('Lower bound for ID-mapping'),
  484         'ldap_idmap_range_max': _('Upper bound for ID-mapping'),
  485         'ldap_idmap_range_size': _('Number of IDs for each slice when ID-mapping'),
  486         'ldap_idmap_autorid_compat': _('Use autorid-compatible algorithm for ID-mapping'),
  487         'ldap_idmap_default_domain': _('Name of the default domain for ID-mapping'),
  488         'ldap_idmap_default_domain_sid': _('SID of the default domain for ID-mapping'),
  489         'ldap_idmap_helper_table_size': _('Number of secondary slices'),
  490 
  491         'ldap_use_tokengroups': _('Whether to use Token-Groups'),
  492         'ldap_min_id': _('Set lower boundary for allowed IDs from the LDAP server'),
  493         'ldap_max_id': _('Set upper boundary for allowed IDs from the LDAP server'),
  494         'ldap_pwdlockout_dn': _('DN for ppolicy queries'),
  495         'wildcard_limit': _('How many maximum entries to fetch during a wildcard request'),
  496         'ldap_library_debug_level': _('Set libldap debug level'),
  497 
  498         # [provider/ldap/auth]
  499         'ldap_pwd_policy': _('Policy to evaluate the password expiration'),
  500 
  501         # [provider/ldap/access]
  502         'ldap_access_filter': _('LDAP filter to determine access privileges'),
  503         'ldap_account_expire_policy': _('Which attributes shall be used to evaluate if an account is expired'),
  504         'ldap_access_order': _('Which rules should be used to evaluate access control'),
  505 
  506         # [provider/ldap/chpass]
  507         'ldap_chpass_uri': _('URI of an LDAP server where password changes are allowed'),
  508         'ldap_chpass_backup_uri': _('URI of a backup LDAP server where password changes are allowed'),
  509         'ldap_chpass_dns_service_name': _('DNS service name for LDAP password change server'),
  510         'ldap_chpass_update_last_change': _('Whether to update the ldap_user_shadow_last_change attribute after a '
  511                                             'password change'),
  512 
  513         # [provider/ldap/sudo]
  514         'ldap_sudo_search_base': _('Base DN for sudo rules lookups'),
  515         'ldap_sudo_full_refresh_interval': _('Automatic full refresh period'),
  516         'ldap_sudo_smart_refresh_interval': _('Automatic smart refresh period'),
  517         'ldap_sudo_use_host_filter': _('Whether to filter rules by hostname, IP addresses and network'),
  518         'ldap_sudo_hostnames': _('Hostnames and/or fully qualified domain names of this machine to filter sudo rules'),
  519         'ldap_sudo_ip': _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'),
  520         'ldap_sudo_include_netgroups': _('Whether to include rules that contains netgroup in host attribute'),
  521         'ldap_sudo_include_regexp': _('Whether to include rules that contains regular expression in host attribute'),
  522         'ldap_sudorule_object_class': _('Object class for sudo rules'),
  523         'ldap_sudorule_object_class_attr': _('Name of attribute that is used as object class for sudo rules'),
  524         'ldap_sudorule_name': _('Sudo rule name'),
  525         'ldap_sudorule_command': _('Sudo rule command attribute'),
  526         'ldap_sudorule_host': _('Sudo rule host attribute'),
  527         'ldap_sudorule_user': _('Sudo rule user attribute'),
  528         'ldap_sudorule_option': _('Sudo rule option attribute'),
  529         'ldap_sudorule_runas': _('Sudo rule runas attribute'),
  530         'ldap_sudorule_runasuser': _('Sudo rule runasuser attribute'),
  531         'ldap_sudorule_runasgroup': _('Sudo rule runasgroup attribute'),
  532         'ldap_sudorule_notbefore': _('Sudo rule notbefore attribute'),
  533         'ldap_sudorule_notafter': _('Sudo rule notafter attribute'),
  534         'ldap_sudorule_order': _('Sudo rule order attribute'),
  535 
  536         # [provider/ldap/autofs]
  537         'ldap_autofs_map_object_class': _('Object class for automounter maps'),
  538         'ldap_autofs_map_name': _('Automounter map name attribute'),
  539         'ldap_autofs_entry_object_class': _('Object class for automounter map entries'),
  540         'ldap_autofs_entry_key': _('Automounter map entry key attribute'),
  541         'ldap_autofs_entry_value': _('Automounter map entry value attribute'),
  542         'ldap_autofs_search_base': _('Base DN for automounter map lookups'),
  543         'ldap_autofs_map_master_name': _('The name of the automount master map in LDAP.'),
  544 
  545         # [provider/ldap/resolver]
  546         'ldap_iphost_search_base': _('Base DN for IP hosts lookups'),
  547         'ldap_iphost_object_class': _('Object class for IP hosts'),
  548         'ldap_iphost_name': _('IP host name attribute'),
  549         'ldap_iphost_number': _('IP host number (address) attribute'),
  550         'ldap_iphost_entry_usn': _('IP host entryUSN attribute'),
  551         'ldap_ipnetwork_search_base': _('Base DN for IP networks lookups'),
  552         'ldap_ipnetwork_object_class': _('Object class for IP networks'),
  553         'ldap_ipnetwork_name': _('IP network name attribute'),
  554         'ldap_ipnetwork_number': _('IP network number (address) attribute'),
  555         'ldap_ipnetwork_entry_usn': _('IP network entryUSN attribute'),
  556 
  557         # [provider/simple/access]
  558         'simple_allow_users': _('Comma separated list of allowed users'),
  559         'simple_deny_users': _('Comma separated list of prohibited users'),
  560         'simple_allow_groups': _('Comma separated list of groups that are allowed to log in. This applies only to '
  561                                  'groups within this SSSD domain. Local groups are not evaluated.'),
  562         'simple_deny_groups': _('Comma separated list of groups that are explicitly denied access. This applies only '
  563                                 'to groups within this SSSD domain. Local groups are not evaluated.'),
  564 
  565         # [provider/local/id]
  566         'base_directory': _('Base for home directories'),
  567         'create_homedir': _('Indicate if a home directory should be created for new users.'),
  568         'remove_homedir': _('Indicate if a home directory should be removed for deleted users.'),
  569         'homedir_umask': _('Specify the default permissions on a newly created home directory.'),
  570         'skel_dir': _('The skeleton directory.'),
  571         'mail_dir': _('The mail spool directory.'),
  572         'userdel_cmd': _('The command that is run after a user is removed.'),
  573 
  574         # [provider/proxy]
  575         'proxy_max_children': _('The number of preforked proxy children.'),
  576 
  577         # [provider/proxy/id]
  578         'proxy_lib_name': _('The name of the NSS library to use'),
  579         'proxy_resolver_lib_name' : _('The name of the NSS library to use for hosts and networks lookups'),
  580         'proxy_fast_alias': _('Whether to look up canonical group name from cache if possible'),
  581 
  582         # [provider/proxy/auth]
  583         'proxy_pam_target': _('PAM stack to use'),
  584 
  585         # [provider/files]
  586         'passwd_files': _('Path of passwd file sources.'),
  587         'group_files': _('Path of group file sources.')
  588     }