"Fossies" - the Fresh Open Source Software Archive

Member "sssd-2.4.2/src/man/po/sssd-docs.pot" (19 Feb 2021, 710000 Bytes) of package /linux/misc/sssd-2.4.2.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 # SOME DESCRIPTIVE TITLE
    2 # Copyright (C) YEAR Red Hat
    3 # This file is distributed under the same license as the sssd-docs package.
    4 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
    5 #
    6 #, fuzzy
    7 msgid ""
    8 msgstr ""
    9 "Project-Id-Version: sssd-docs 2.4.2\n"
   10 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
   11 "POT-Creation-Date: 2021-02-19 16:49+0100\n"
   12 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
   13 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
   14 "Language-Team: LANGUAGE <LL@li.org>\n"
   15 "Language: \n"
   16 "MIME-Version: 1.0\n"
   17 "Content-Type: text/plain; charset=UTF-8\n"
   18 "Content-Transfer-Encoding: 8bit\n"
   19 
   20 #. type: Content of: <reference><title>
   21 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
   22 #: pam_sss_gss.8.xml:5 sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5
   23 #: sss-certmap.5.xml:5 sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5
   24 #: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5
   25 #: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5
   26 #: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5
   27 #: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
   28 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
   29 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
   30 #: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5
   31 #: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5
   32 msgid "SSSD Manual pages"
   33 msgstr ""
   34 
   35 #. type: Content of: <reference><refentry><refnamediv><refname>
   36 #: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
   37 msgid "sss_groupmod"
   38 msgstr ""
   39 
   40 #. type: Content of: <reference><refentry><refmeta><manvolnum>
   41 #: sss_groupmod.8.xml:11 pam_sss.8.xml:12 pam_sss_gss.8.xml:12
   42 #: sssd_krb5_locator_plugin.8.xml:11 sssd.8.xml:11 sss_obfuscate.8.xml:11
   43 #: sss_override.8.xml:11 sss_useradd.8.xml:11 sss_groupadd.8.xml:11
   44 #: sss_userdel.8.xml:11 sss_groupdel.8.xml:11 sss_groupshow.8.xml:11
   45 #: sss_usermod.8.xml:11 sss_cache.8.xml:11 sss_debuglevel.8.xml:11
   46 #: sss_seed.8.xml:11 idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11
   47 msgid "8"
   48 msgstr ""
   49 
   50 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
   51 #: sss_groupmod.8.xml:16
   52 msgid "modify a group"
   53 msgstr ""
   54 
   55 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
   56 #: sss_groupmod.8.xml:21
   57 msgid ""
   58 "<command>sss_groupmod</command> <arg choice='opt'> "
   59 "<replaceable>options</replaceable> </arg> <arg "
   60 "choice='plain'><replaceable>GROUP</replaceable></arg>"
   61 msgstr ""
   62 
   63 #. type: Content of: <reference><refentry><refsect1><title>
   64 #: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:63
   65 #: pam_sss_gss.8.xml:30 sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22
   66 #: sss-certmap.5.xml:21 sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21
   67 #: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_override.8.xml:30
   68 #: sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30
   69 #: sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30
   70 #: sss_usermod.8.xml:30 sss_cache.8.xml:29 sss_debuglevel.8.xml:30
   71 #: sss_seed.8.xml:31 sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30
   72 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30
   73 #: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21
   74 #: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21
   75 msgid "DESCRIPTION"
   76 msgstr ""
   77 
   78 #. type: Content of: <reference><refentry><refsect1><para>
   79 #: sss_groupmod.8.xml:32
   80 msgid ""
   81 "<command>sss_groupmod</command> modifies the group to reflect the changes "
   82 "that are specified on the command line."
   83 msgstr ""
   84 
   85 #. type: Content of: <reference><refentry><refsect1><title>
   86 #: sss_groupmod.8.xml:39 pam_sss.8.xml:70 pam_sss_gss.8.xml:89 sssd.8.xml:42
   87 #: sss_obfuscate.8.xml:58 sss_useradd.8.xml:39 sss_groupadd.8.xml:39
   88 #: sss_userdel.8.xml:39 sss_groupdel.8.xml:39 sss_groupshow.8.xml:39
   89 #: sss_usermod.8.xml:39 sss_cache.8.xml:39 sss_seed.8.xml:42
   90 #: sss_ssh_authorizedkeys.1.xml:123 sss_ssh_knownhostsproxy.1.xml:62
   91 msgid "OPTIONS"
   92 msgstr ""
   93 
   94 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
   95 #: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
   96 msgid ""
   97 "<option>-a</option>,<option>--append-group</option> "
   98 "<replaceable>GROUPS</replaceable>"
   99 msgstr ""
  100 
  101 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
  102 #: sss_groupmod.8.xml:48
  103 msgid ""
  104 "Append this group to groups specified by the "
  105 "<replaceable>GROUPS</replaceable> parameter.  The "
  106 "<replaceable>GROUPS</replaceable> parameter is a comma separated list of "
  107 "group names."
  108 msgstr ""
  109 
  110 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
  111 #: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
  112 msgid ""
  113 "<option>-r</option>,<option>--remove-group</option> "
  114 "<replaceable>GROUPS</replaceable>"
  115 msgstr ""
  116 
  117 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
  118 #: sss_groupmod.8.xml:62
  119 msgid ""
  120 "Remove this group from groups specified by the "
  121 "<replaceable>GROUPS</replaceable> parameter."
  122 msgstr ""
  123 
  124 #. type: Content of: <reference><refentry><refnamediv><refname>
  125 #: sssd.conf.5.xml:10 sssd.conf.5.xml:16
  126 msgid "sssd.conf"
  127 msgstr ""
  128 
  129 #. type: Content of: <reference><refentry><refmeta><manvolnum>
  130 #: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
  131 #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11
  132 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
  133 #: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11
  134 #: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11
  135 msgid "5"
  136 msgstr ""
  137 
  138 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
  139 #: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
  140 #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12
  141 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
  142 #: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12
  143 #: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12
  144 msgid "File Formats and Conventions"
  145 msgstr ""
  146 
  147 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
  148 #: sssd.conf.5.xml:17
  149 msgid "the configuration file for SSSD"
  150 msgstr ""
  151 
  152 #. type: Content of: <reference><refentry><refsect1><title>
  153 #: sssd.conf.5.xml:21
  154 msgid "FILE FORMAT"
  155 msgstr ""
  156 
  157 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
  158 #: sssd.conf.5.xml:29
  159 #, no-wrap
  160 msgid ""
  161 "<replaceable>[section]</replaceable>\n"
  162 "<replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
  163 "<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
  164 "            "
  165 msgstr ""
  166 
  167 #. type: Content of: <reference><refentry><refsect1><para>
  168 #: sssd.conf.5.xml:24
  169 msgid ""
  170 "The file has an ini-style syntax and consists of sections and parameters. A "
  171 "section begins with the name of the section in square brackets and continues "
  172 "until the next section begins. An example of section with single and "
  173 "multi-valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
  174 msgstr ""
  175 
  176 #. type: Content of: <reference><refentry><refsect1><para>
  177 #: sssd.conf.5.xml:36
  178 msgid ""
  179 "The data types used are string (no quotes needed), integer and bool (with "
  180 "values of <quote>TRUE/FALSE</quote>)."
  181 msgstr ""
  182 
  183 #. type: Content of: <reference><refentry><refsect1><para>
  184 #: sssd.conf.5.xml:41
  185 msgid ""
  186 "A comment line starts with a hash sign (<quote>#</quote>) or a semicolon "
  187 "(<quote>;</quote>).  Inline comments are not supported."
  188 msgstr ""
  189 
  190 #. type: Content of: <reference><refentry><refsect1><para>
  191 #: sssd.conf.5.xml:47
  192 msgid ""
  193 "All sections can have an optional <replaceable>description</replaceable> "
  194 "parameter. Its function is only as a label for the section."
  195 msgstr ""
  196 
  197 #. type: Content of: <reference><refentry><refsect1><para>
  198 #: sssd.conf.5.xml:53
  199 msgid ""
  200 "<filename>sssd.conf</filename> must be a regular file, owned by root and "
  201 "only root may read from or write to the file."
  202 msgstr ""
  203 
  204 #. type: Content of: <reference><refentry><refsect1><title>
  205 #: sssd.conf.5.xml:59
  206 msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY"
  207 msgstr ""
  208 
  209 #. type: Content of: <reference><refentry><refsect1><para>
  210 #: sssd.conf.5.xml:62
  211 msgid ""
  212 "The configuration file <filename>sssd.conf</filename> will include "
  213 "configuration snippets using the include directory "
  214 "<filename>conf.d</filename>. This feature is available if SSSD was compiled "
  215 "with libini version 1.3.0 or later."
  216 msgstr ""
  217 
  218 #. type: Content of: <reference><refentry><refsect1><para>
  219 #: sssd.conf.5.xml:69
  220 msgid ""
  221 "Any file placed in <filename>conf.d</filename> that ends in "
  222 "<quote><filename>.conf</filename></quote> and does not begin with a dot "
  223 "(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> "
  224 "to configure SSSD."
  225 msgstr ""
  226 
  227 #. type: Content of: <reference><refentry><refsect1><para>
  228 #: sssd.conf.5.xml:77
  229 msgid ""
  230 "The configuration snippets from <filename>conf.d</filename> have higher "
  231 "priority than <filename>sssd.conf</filename> and will override "
  232 "<filename>sssd.conf</filename> when conflicts occur. If several snippets are "
  233 "present in <filename>conf.d</filename>, then they are included in "
  234 "alphabetical order (based on locale).  Files included later have higher "
  235 "priority. Numerical prefixes (<filename>01_snippet.conf</filename>, "
  236 "<filename>02_snippet.conf</filename> etc.) can help visualize the priority "
  237 "(higher number means higher priority)."
  238 msgstr ""
  239 
  240 #. type: Content of: <reference><refentry><refsect1><para>
  241 #: sssd.conf.5.xml:91
  242 msgid ""
  243 "The snippet files require the same owner and permissions as "
  244 "<filename>sssd.conf</filename>. Which are by default root:root and 0600."
  245 msgstr ""
  246 
  247 #. type: Content of: <reference><refentry><refsect1><title>
  248 #: sssd.conf.5.xml:98
  249 msgid "GENERAL OPTIONS"
  250 msgstr ""
  251 
  252 #. type: Content of: <reference><refentry><refsect1><para>
  253 #: sssd.conf.5.xml:100
  254 msgid "Following options are usable in more than one configuration sections."
  255 msgstr ""
  256 
  257 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
  258 #: sssd.conf.5.xml:104
  259 msgid "Options usable in all sections"
  260 msgstr ""
  261 
  262 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  263 #: sssd.conf.5.xml:108
  264 msgid "debug_level (integer)"
  265 msgstr ""
  266 
  267 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  268 #: sssd.conf.5.xml:112
  269 msgid "debug (integer)"
  270 msgstr ""
  271 
  272 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  273 #: sssd.conf.5.xml:115
  274 msgid ""
  275 "SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias "
  276 "for <replaceable>debug_level</replaceable> as a convenience feature. If both "
  277 "are specified, the value of <replaceable>debug_level</replaceable> will be "
  278 "used."
  279 msgstr ""
  280 
  281 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  282 #: sssd.conf.5.xml:125
  283 msgid "debug_timestamps (bool)"
  284 msgstr ""
  285 
  286 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  287 #: sssd.conf.5.xml:128
  288 msgid ""
  289 "Add a timestamp to the debug messages.  If journald is enabled for SSSD "
  290 "debug logging this option is ignored."
  291 msgstr ""
  292 
  293 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
  294 #: sssd.conf.5.xml:133 sssd.conf.5.xml:331 sssd.conf.5.xml:612
  295 #: sssd.conf.5.xml:941 sssd.conf.5.xml:1936 sssd.conf.5.xml:1966
  296 #: sssd-ldap.5.xml:962 sssd-ldap.5.xml:1060 sssd-ldap.5.xml:1127
  297 #: sssd-ldap.5.xml:1579 sssd-ldap.5.xml:1644 sssd-ipa.5.xml:341
  298 #: sssd-ad.5.xml:229 sssd-ad.5.xml:343 sssd-ad.5.xml:1177 sssd-ad.5.xml:1325
  299 #: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
  300 msgid "Default: true"
  301 msgstr ""
  302 
  303 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  304 #: sssd.conf.5.xml:138
  305 msgid "debug_microseconds (bool)"
  306 msgstr ""
  307 
  308 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  309 #: sssd.conf.5.xml:141
  310 msgid ""
  311 "Add microseconds to the timestamp in debug messages.  If journald is enabled "
  312 "for SSSD debug logging this option is ignored."
  313 msgstr ""
  314 
  315 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
  316 #: sssd.conf.5.xml:146 sssd.conf.5.xml:609 sssd.conf.5.xml:823
  317 #: sssd.conf.5.xml:1869 sssd.conf.5.xml:3686 sssd-ldap.5.xml:312
  318 #: sssd-ldap.5.xml:813 sssd-ldap.5.xml:832 sssd-ldap.5.xml:1032
  319 #: sssd-ldap.5.xml:1463 sssd-ldap.5.xml:1668 sssd-ipa.5.xml:151
  320 #: sssd-ipa.5.xml:253 sssd-ipa.5.xml:589 sssd-ad.5.xml:1083 sssd-krb5.5.xml:266
  321 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 sssd-krb5.5.xml:573
  322 msgid "Default: false"
  323 msgstr ""
  324 
  325 #. type: Content of: outside any tag (error?)
  326 #: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:1520
  327 #: sssd-ldap.5.xml:1691 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
  328 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
  329 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
  330 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
  331 #: sssd-ldap-attributes.5.xml:970 sssd-ldap-attributes.5.xml:1028
  332 #: sssd-ldap-attributes.5.xml:1186 sssd-ldap-attributes.5.xml:1231
  333 #: include/autofs_attributes.xml:1
  334 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
  335 msgstr ""
  336 
  337 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
  338 #: sssd.conf.5.xml:155
  339 msgid "Options usable in SERVICE and DOMAIN sections"
  340 msgstr ""
  341 
  342 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  343 #: sssd.conf.5.xml:159
  344 msgid "timeout (integer)"
  345 msgstr ""
  346 
  347 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  348 #: sssd.conf.5.xml:162
  349 msgid ""
  350 "Timeout in seconds between heartbeats for this service. This is used to "
  351 "ensure that the process is alive and capable of answering requests. Note "
  352 "that after three missed heartbeats the process will terminate itself."
  353 msgstr ""
  354 
  355 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
  356 #: sssd.conf.5.xml:169 sssd.conf.5.xml:1161 sssd.conf.5.xml:1550
  357 #: sssd.conf.5.xml:3702 sssd-ldap.5.xml:684 include/ldap_id_mapping.xml:264
  358 msgid "Default: 10"
  359 msgstr ""
  360 
  361 #. type: Content of: <reference><refentry><refsect1><title>
  362 #: sssd.conf.5.xml:179
  363 msgid "SPECIAL SECTIONS"
  364 msgstr ""
  365 
  366 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
  367 #: sssd.conf.5.xml:182
  368 msgid "The [sssd] section"
  369 msgstr ""
  370 
  371 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
  372 #: sssd.conf.5.xml:191 sssd.conf.5.xml:3791
  373 msgid "Section parameters"
  374 msgstr ""
  375 
  376 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  377 #: sssd.conf.5.xml:193
  378 msgid "config_file_version (integer)"
  379 msgstr ""
  380 
  381 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  382 #: sssd.conf.5.xml:196
  383 msgid ""
  384 "Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
  385 "version 2."
  386 msgstr ""
  387 
  388 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  389 #: sssd.conf.5.xml:202
  390 msgid "services"
  391 msgstr ""
  392 
  393 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  394 #: sssd.conf.5.xml:205
  395 msgid ""
  396 "Comma separated list of services that are started when sssd itself starts.  "
  397 "<phrase condition=\"have_systemd\"> The services' list is optional on "
  398 "platforms where systemd is supported, as they will either be socket or D-Bus "
  399 "activated when needed.  </phrase>"
  400 msgstr ""
  401 
  402 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  403 #: sssd.conf.5.xml:214
  404 msgid ""
  405 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
  406 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase "
  407 "condition=\"with_ssh\">, ssh</phrase> <phrase "
  408 "condition=\"with_pac_responder\">, pac</phrase> <phrase "
  409 "condition=\"with_ifp\">, ifp</phrase>"
  410 msgstr ""
  411 
  412 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  413 #: sssd.conf.5.xml:222
  414 msgid ""
  415 "<phrase condition=\"have_systemd\"> By default, all services are disabled "
  416 "and the administrator must enable the ones allowed to be used by executing: "
  417 "\"systemctl enable sssd-@service@.socket\".  </phrase>"
  418 msgstr ""
  419 
  420 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
  421 #: sssd.conf.5.xml:231 sssd.conf.5.xml:683
  422 msgid "reconnection_retries (integer)"
  423 msgstr ""
  424 
  425 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
  426 #: sssd.conf.5.xml:234 sssd.conf.5.xml:686
  427 msgid ""
  428 "Number of times services should attempt to reconnect in the event of a Data "
  429 "Provider crash or restart before they give up"
  430 msgstr ""
  431 
  432 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  433 #: sssd.conf.5.xml:239 sssd.conf.5.xml:691 include/failover.xml:100
  434 msgid "Default: 3"
  435 msgstr ""
  436 
  437 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  438 #: sssd.conf.5.xml:244
  439 msgid "domains"
  440 msgstr ""
  441 
  442 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  443 #: sssd.conf.5.xml:247
  444 msgid ""
  445 "A domain is a database containing user information. SSSD can use more "
  446 "domains at the same time, but at least one must be configured or SSSD won't "
  447 "start.  This parameter describes the list of domains in the order you want "
  448 "them to be queried.  A domain name is recommended to contain only "
  449 "alphanumeric ASCII characters, dashes, dots and underscores. '/' character "
  450 "is forbidden."
  451 msgstr ""
  452 
  453 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
  454 #: sssd.conf.5.xml:260 sssd.conf.5.xml:3203
  455 msgid "re_expression (string)"
  456 msgstr ""
  457 
  458 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  459 #: sssd.conf.5.xml:263
  460 msgid ""
  461 "Default regular expression that describes how to parse the string containing "
  462 "user name and domain into these components."
  463 msgstr ""
  464 
  465 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  466 #: sssd.conf.5.xml:268
  467 msgid ""
  468 "Each domain can have an individual regular expression configured. For some "
  469 "ID providers there are also default regular expressions. See DOMAIN SECTIONS "
  470 "for more info on these regular expressions."
  471 msgstr ""
  472 
  473 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
  474 #: sssd.conf.5.xml:277 sssd.conf.5.xml:3251
  475 msgid "full_name_format (string)"
  476 msgstr ""
  477 
  478 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
  479 #: sssd.conf.5.xml:280 sssd.conf.5.xml:3254
  480 msgid ""
  481 "A <citerefentry> <refentrytitle>printf</refentrytitle> "
  482 "<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes "
  483 "how to compose a fully qualified name from user name and domain name "
  484 "components."
  485 msgstr ""
  486 
  487 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  488 #: sssd.conf.5.xml:291 sssd.conf.5.xml:3265
  489 msgid "%1$s"
  490 msgstr ""
  491 
  492 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  493 #: sssd.conf.5.xml:292 sssd.conf.5.xml:3266
  494 msgid "user name"
  495 msgstr ""
  496 
  497 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  498 #: sssd.conf.5.xml:295 sssd.conf.5.xml:3269
  499 msgid "%2$s"
  500 msgstr ""
  501 
  502 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  503 #: sssd.conf.5.xml:298 sssd.conf.5.xml:3272
  504 msgid "domain name as specified in the SSSD config file."
  505 msgstr ""
  506 
  507 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  508 #: sssd.conf.5.xml:304 sssd.conf.5.xml:3278
  509 msgid "%3$s"
  510 msgstr ""
  511 
  512 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  513 #: sssd.conf.5.xml:307 sssd.conf.5.xml:3281
  514 msgid ""
  515 "domain flat name. Mostly usable for Active Directory domains, both directly "
  516 "configured or discovered via IPA trusts."
  517 msgstr ""
  518 
  519 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
  520 #: sssd.conf.5.xml:288 sssd.conf.5.xml:3262
  521 msgid ""
  522 "The following expansions are supported: <placeholder type=\"variablelist\" "
  523 "id=\"0\"/>"
  524 msgstr ""
  525 
  526 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  527 #: sssd.conf.5.xml:317
  528 msgid ""
  529 "Each domain can have an individual format string configured.  See DOMAIN "
  530 "SECTIONS for more info on this option."
  531 msgstr ""
  532 
  533 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  534 #: sssd.conf.5.xml:323
  535 msgid "monitor_resolv_conf (boolean)"
  536 msgstr ""
  537 
  538 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  539 #: sssd.conf.5.xml:326
  540 msgid ""
  541 "Controls if SSSD should monitor the state of resolv.conf to identify when it "
  542 "needs to update its internal DNS resolver."
  543 msgstr ""
  544 
  545 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  546 #: sssd.conf.5.xml:336
  547 msgid "try_inotify (boolean)"
  548 msgstr ""
  549 
  550 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  551 #: sssd.conf.5.xml:339
  552 msgid ""
  553 "By default, SSSD will attempt to use inotify to monitor configuration files "
  554 "changes and will fall back to polling every five seconds if inotify cannot "
  555 "be used."
  556 msgstr ""
  557 
  558 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  559 #: sssd.conf.5.xml:345
  560 msgid ""
  561 "There are some limited situations where it is preferred that we should skip "
  562 "even trying to use inotify. In these rare cases, this option should be set "
  563 "to 'false'"
  564 msgstr ""
  565 
  566 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  567 #: sssd.conf.5.xml:351
  568 msgid ""
  569 "Default: true on platforms where inotify is supported. False on other "
  570 "platforms."
  571 msgstr ""
  572 
  573 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  574 #: sssd.conf.5.xml:355
  575 msgid ""
  576 "Note: this option will have no effect on platforms where inotify is "
  577 "unavailable. On these platforms, polling will always be used."
  578 msgstr ""
  579 
  580 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  581 #: sssd.conf.5.xml:362
  582 msgid "krb5_rcache_dir (string)"
  583 msgstr ""
  584 
  585 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  586 #: sssd.conf.5.xml:365
  587 msgid ""
  588 "Directory on the filesystem where SSSD should store Kerberos replay cache "
  589 "files."
  590 msgstr ""
  591 
  592 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  593 #: sssd.conf.5.xml:369
  594 msgid ""
  595 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
  596 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
  597 msgstr ""
  598 
  599 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  600 #: sssd.conf.5.xml:375
  601 msgid ""
  602 "Default: Distribution-specific and specified at "
  603 "build-time. (__LIBKRB5_DEFAULTS__ if not configured)"
  604 msgstr ""
  605 
  606 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  607 #: sssd.conf.5.xml:382
  608 msgid "user (string)"
  609 msgstr ""
  610 
  611 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  612 #: sssd.conf.5.xml:385
  613 msgid ""
  614 "The user to drop the privileges to where appropriate to avoid running as the "
  615 "root user.  <phrase condition=\"have_systemd\"> This option does not work "
  616 "when running socket-activated services, as the user set up to run the "
  617 "processes is set up during compilation time.  The way to override the "
  618 "systemd unit files is by creating the appropriate files in "
  619 "/etc/systemd/system/.  Keep in mind that any change in the socket user, "
  620 "group or permissions may result in a non-usable SSSD. The same may occur in "
  621 "case of changes of the user running the NSS responder.  </phrase>"
  622 msgstr ""
  623 
  624 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  625 #: sssd.conf.5.xml:403
  626 msgid "Default: not set, process will run as root"
  627 msgstr ""
  628 
  629 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  630 #: sssd.conf.5.xml:408
  631 msgid "default_domain_suffix (string)"
  632 msgstr ""
  633 
  634 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  635 #: sssd.conf.5.xml:411
  636 msgid ""
  637 "This string will be used as a default domain name for all names without a "
  638 "domain name component. The main use case is environments where the primary "
  639 "domain is intended for managing host policies and all users are located in a "
  640 "trusted domain.  The option allows those users to log in just with their "
  641 "user name without giving a domain name as well."
  642 msgstr ""
  643 
  644 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  645 #: sssd.conf.5.xml:421
  646 msgid ""
  647 "Please note that if this option is set all users from the primary domain "
  648 "have to use their fully qualified name, e.g. user@domain.name, to log "
  649 "in. Setting this option changes default of use_fully_qualified_names to "
  650 "True. It is not allowed to use this option together with "
  651 "use_fully_qualified_names set to False. One exception from this rule are "
  652 "domains with <quote>id_provider=files</quote> that always try to match the "
  653 "behaviour of nss_files and therefore their output is not qualified even when "
  654 "the default_domain_suffix option is used."
  655 msgstr ""
  656 
  657 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
  658 #: sssd.conf.5.xml:436 sssd.conf.5.xml:1348 sssd-ldap.5.xml:772
  659 #: sssd-ldap.5.xml:784 sssd-ldap.5.xml:876 sssd-ad.5.xml:897 sssd-ad.5.xml:972
  660 #: sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:609
  661 #: sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390
  662 #: sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 sssd-ldap-attributes.5.xml:470
  663 #: sssd-ldap-attributes.5.xml:959 include/ldap_id_mapping.xml:205
  664 #: include/ldap_id_mapping.xml:216
  665 msgid "Default: not set"
  666 msgstr ""
  667 
  668 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  669 #: sssd.conf.5.xml:441
  670 msgid "override_space (string)"
  671 msgstr ""
  672 
  673 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  674 #: sssd.conf.5.xml:444
  675 msgid ""
  676 "This parameter will replace spaces (space bar)  with the given character for "
  677 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
  678 "&quot;john_doe&quot; This feature was added to help compatibility with shell "
  679 "scripts that have difficulty handling spaces, due to the default field "
  680 "separator in the shell."
  681 msgstr ""
  682 
  683 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  684 #: sssd.conf.5.xml:453
  685 msgid ""
  686 "Please note it is a configuration error to use a replacement character that "
  687 "might be used in user or group names. If a name contains the replacement "
  688 "character SSSD tries to return the unmodified name but in general the result "
  689 "of a lookup is undefined."
  690 msgstr ""
  691 
  692 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  693 #: sssd.conf.5.xml:461
  694 msgid "Default: not set (spaces will not be replaced)"
  695 msgstr ""
  696 
  697 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  698 #: sssd.conf.5.xml:466
  699 msgid "certificate_verification (string)"
  700 msgstr ""
  701 
  702 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  703 #: sssd.conf.5.xml:474
  704 msgid "no_ocsp"
  705 msgstr ""
  706 
  707 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  708 #: sssd.conf.5.xml:476
  709 msgid ""
  710 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
  711 "needed if the OCSP servers defined in the certificate are not reachable from "
  712 "the client."
  713 msgstr ""
  714 
  715 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  716 #: sssd.conf.5.xml:484
  717 msgid "soft_ocsp"
  718 msgstr ""
  719 
  720 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  721 #: sssd.conf.5.xml:486
  722 msgid ""
  723 "If a connection cannot be established to an OCSP responder the OCSP check is "
  724 "skipped.  This option should be used to allow authentication when the system "
  725 "is offline and the OCSP responder cannot be reached."
  726 msgstr ""
  727 
  728 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  729 #: sssd.conf.5.xml:496
  730 msgid "ocsp_dgst"
  731 msgstr ""
  732 
  733 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  734 #: sssd.conf.5.xml:498
  735 msgid ""
  736 "Digest (hash) function used to create the certificate ID for the OCSP "
  737 "request. Allowed values are:"
  738 msgstr ""
  739 
  740 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
  741 #: sssd.conf.5.xml:502
  742 msgid "sha1"
  743 msgstr ""
  744 
  745 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
  746 #: sssd.conf.5.xml:503
  747 msgid "sha256"
  748 msgstr ""
  749 
  750 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
  751 #: sssd.conf.5.xml:504
  752 msgid "sha384"
  753 msgstr ""
  754 
  755 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
  756 #: sssd.conf.5.xml:505
  757 msgid "sha512"
  758 msgstr ""
  759 
  760 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  761 #: sssd.conf.5.xml:508
  762 msgid "Default: sha1 (to allow compatibility with RFC5019-compliant responder)"
  763 msgstr ""
  764 
  765 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  766 #: sssd.conf.5.xml:514
  767 msgid "no_verification"
  768 msgstr ""
  769 
  770 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  771 #: sssd.conf.5.xml:516
  772 msgid ""
  773 "Disables verification completely.  This option should only be used for "
  774 "testing."
  775 msgstr ""
  776 
  777 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  778 #: sssd.conf.5.xml:522
  779 msgid "ocsp_default_responder=URL"
  780 msgstr ""
  781 
  782 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  783 #: sssd.conf.5.xml:524
  784 msgid ""
  785 "Sets the OCSP default responder which should be used instead of the one "
  786 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
  787 "default responder e.g.  http://example.com:80/ocsp."
  788 msgstr ""
  789 
  790 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  791 #: sssd.conf.5.xml:534
  792 msgid "ocsp_default_responder_signing_cert=NAME"
  793 msgstr ""
  794 
  795 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  796 #: sssd.conf.5.xml:536
  797 msgid ""
  798 "This option is currently ignored. All needed certificates must be available "
  799 "in the PEM file given by pam_cert_db_path."
  800 msgstr ""
  801 
  802 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  803 #: sssd.conf.5.xml:544
  804 msgid "crl_file=/PATH/TO/CRL/FILE"
  805 msgstr ""
  806 
  807 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  808 #: sssd.conf.5.xml:546
  809 msgid ""
  810 "Use the Certificate Revocation List (CRL) from the given file during the "
  811 "verification of the certificate. The CRL must be given in PEM format, see "
  812 "<citerefentry> <refentrytitle>crl</refentrytitle> "
  813 "<manvolnum>1ssl</manvolnum> </citerefentry> for details."
  814 msgstr ""
  815 
  816 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
  817 #: sssd.conf.5.xml:559
  818 msgid "soft_crl"
  819 msgstr ""
  820 
  821 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
  822 #: sssd.conf.5.xml:562
  823 msgid ""
  824 "If a Certificate Revocation List (CRL)  is expired ignore the CRL checks for "
  825 "the related certificates. This option should be used to allow authentication "
  826 "when the system is offline and the CRL cannot be renewed."
  827 msgstr ""
  828 
  829 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  830 #: sssd.conf.5.xml:469
  831 msgid ""
  832 "With this parameter the certificate verification can be tuned with a comma "
  833 "separated list of options. Supported options are: <placeholder "
  834 "type=\"variablelist\" id=\"0\"/>"
  835 msgstr ""
  836 
  837 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  838 #: sssd.conf.5.xml:573
  839 msgid "Unknown options are reported but ignored."
  840 msgstr ""
  841 
  842 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  843 #: sssd.conf.5.xml:576
  844 msgid "Default: not set, i.e. do not restrict certificate verification"
  845 msgstr ""
  846 
  847 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  848 #: sssd.conf.5.xml:582
  849 msgid "disable_netlink (boolean)"
  850 msgstr ""
  851 
  852 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  853 #: sssd.conf.5.xml:585
  854 msgid ""
  855 "SSSD hooks into the netlink interface to monitor changes to routes, "
  856 "addresses, links and trigger certain actions."
  857 msgstr ""
  858 
  859 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  860 #: sssd.conf.5.xml:590
  861 msgid ""
  862 "The SSSD state changes caused by netlink events may be undesirable and can "
  863 "be disabled by setting this option to 'true'"
  864 msgstr ""
  865 
  866 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  867 #: sssd.conf.5.xml:595
  868 msgid "Default: false (netlink changes are detected)"
  869 msgstr ""
  870 
  871 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  872 #: sssd.conf.5.xml:600
  873 msgid "enable_files_domain (boolean)"
  874 msgstr ""
  875 
  876 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  877 #: sssd.conf.5.xml:603
  878 msgid ""
  879 "When this option is enabled, SSSD prepends an implicit domain with "
  880 "<quote>id_provider=files</quote> before any explicitly configured domains."
  881 msgstr ""
  882 
  883 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
  884 #: sssd.conf.5.xml:617
  885 msgid "domain_resolution_order"
  886 msgstr ""
  887 
  888 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  889 #: sssd.conf.5.xml:620
  890 msgid ""
  891 "Comma separated list of domains and subdomains representing the lookup order "
  892 "that will be followed.  The list doesn't have to include all possible "
  893 "domains as the missing domains will be looked up based on the order they're "
  894 "presented in the <quote>domains</quote> configuration option.  The "
  895 "subdomains which are not listed as part of <quote>lookup_order</quote> will "
  896 "be looked up in a random order for each parent domain."
  897 msgstr ""
  898 
  899 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
  900 #: sssd.conf.5.xml:632
  901 msgid ""
  902 "Please, note that when this option is set the output format of all commands "
  903 "is always fully-qualified even when using short names for input, for all "
  904 "users but the ones managed by the files provider.  In case the administrator "
  905 "wants the output not fully-qualified, the full_name_format option can be "
  906 "used as shown below: <quote>full_name_format=%1$s</quote> However, keep in "
  907 "mind that during login, login applications often canonicalize the username "
  908 "by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> "
  909 "<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned "
  910 "for a qualified input (while trying to reach a user which exists in multiple "
  911 "domains) might re-route the login attempt into the domain which uses "
  912 "shortnames, making this workaround totally not recommended in cases where "
  913 "usernames may overlap between domains."
  914 msgstr ""
  915 
  916 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
  917 #: sssd.conf.5.xml:657 sssd.conf.5.xml:1562 sssd.conf.5.xml:3752
  918 #: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
  919 msgid "Default: Not set"
  920 msgstr ""
  921 
  922 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
  923 #: sssd.conf.5.xml:184
  924 msgid ""
  925 "Individual pieces of SSSD functionality are provided by special SSSD "
  926 "services that are started and stopped together with SSSD.  The services are "
  927 "managed by a special service frequently called <quote>monitor</quote>. The "
  928 "<quote>[sssd]</quote> section is used to configure the monitor as well as "
  929 "some other important options like the identity domains.  <placeholder "
  930 "type=\"variablelist\" id=\"0\"/>"
  931 msgstr ""
  932 
  933 #. type: Content of: <reference><refentry><refsect1><title>
  934 #: sssd.conf.5.xml:668
  935 msgid "SERVICES SECTIONS"
  936 msgstr ""
  937 
  938 #. type: Content of: <reference><refentry><refsect1><para>
  939 #: sssd.conf.5.xml:670
  940 msgid ""
  941 "Settings that can be used to configure different services are described in "
  942 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
  943 "section, for example, for NSS service, the section would be "
  944 "<quote>[nss]</quote>"
  945 msgstr ""
  946 
  947 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
  948 #: sssd.conf.5.xml:677
  949 msgid "General service configuration options"
  950 msgstr ""
  951 
  952 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
  953 #: sssd.conf.5.xml:679
  954 msgid "These options can be used to configure any service."
  955 msgstr ""
  956 
  957 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
  958 #: sssd.conf.5.xml:696
  959 msgid "fd_limit"
  960 msgstr ""
  961 
  962 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
  963 #: sssd.conf.5.xml:699
  964 msgid ""
  965 "This option specifies the maximum number of file descriptors that may be "
  966 "opened at one time by this SSSD process. On systems where SSSD is granted "
  967 "the CAP_SYS_RESOURCE capability, this will be an absolute setting. On "
  968 "systems without this capability, the resulting value will be the lower value "
  969 "of this or the limits.conf \"hard\" limit."
  970 msgstr ""
  971 
  972 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
  973 #: sssd.conf.5.xml:708
  974 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
  975 msgstr ""
  976 
  977 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
  978 #: sssd.conf.5.xml:713
  979 msgid "client_idle_timeout"
  980 msgstr ""
  981 
  982 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
  983 #: sssd.conf.5.xml:716
  984 msgid ""
  985 "This option specifies the number of seconds that a client of an SSSD process "
  986 "can hold onto a file descriptor without communicating on it. This value is "
  987 "limited in order to avoid resource exhaustion on the system. The timeout "
  988 "can't be shorter than 10 seconds. If a lower value is configured, it will be "
  989 "adjusted to 10 seconds."
  990 msgstr ""
  991 
  992 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
  993 #: sssd.conf.5.xml:725
  994 msgid "Default: 60, KCM: 300"
  995 msgstr ""
  996 
  997 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
  998 #: sssd.conf.5.xml:730
  999 msgid "offline_timeout (integer)"
 1000 msgstr ""
 1001 
 1002 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1003 #: sssd.conf.5.xml:733
 1004 msgid ""
 1005 "When SSSD switches to offline mode the amount of time before it tries to go "
 1006 "back online will increase based upon the time spent disconnected.  This "
 1007 "value is in seconds and calculated by the following:"
 1008 msgstr ""
 1009 
 1010 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1011 #: sssd.conf.5.xml:740
 1012 msgid "offline_timeout + random_offset"
 1013 msgstr ""
 1014 
 1015 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1016 #: sssd.conf.5.xml:743
 1017 msgid ""
 1018 "The random offset value is from 0 to 30.  After each unsuccessful attempt to "
 1019 "go online, the new interval is recalculated by the following:"
 1020 msgstr ""
 1021 
 1022 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1023 #: sssd.conf.5.xml:748
 1024 msgid "new_interval = (old_interval * 2) + random_offset"
 1025 msgstr ""
 1026 
 1027 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1028 #: sssd.conf.5.xml:751
 1029 msgid ""
 1030 "Note that the maximum length of each interval is defined by "
 1031 "offline_timeout_max, which defaults to one hour. If the calculated length of "
 1032 "new_interval is greater than offline_timeout_max, it will be forced to the "
 1033 "offline_timeout_max value."
 1034 msgstr ""
 1035 
 1036 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 1037 #: sssd.conf.5.xml:758 sssd.conf.5.xml:1072 sssd.conf.5.xml:1414
 1038 #: sssd.conf.5.xml:1651 sssd-ldap.5.xml:469
 1039 msgid "Default: 60"
 1040 msgstr ""
 1041 
 1042 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1043 #: sssd.conf.5.xml:763
 1044 msgid "offline_timeout_max (integer)"
 1045 msgstr ""
 1046 
 1047 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1048 #: sssd.conf.5.xml:766
 1049 msgid ""
 1050 "Controls by how much the time between attempts to go online can be "
 1051 "incremented following unsuccessful attempts to go online."
 1052 msgstr ""
 1053 
 1054 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1055 #: sssd.conf.5.xml:771
 1056 msgid "A value of 0 disables the incrementing behaviour."
 1057 msgstr ""
 1058 
 1059 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1060 #: sssd.conf.5.xml:774
 1061 msgid ""
 1062 "The value of this parameter should be set in correlation to offline_timeout "
 1063 "parameter value."
 1064 msgstr ""
 1065 
 1066 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1067 #: sssd.conf.5.xml:778
 1068 msgid ""
 1069 "With offline_timeout set to 60 (default value) there is no point in setting "
 1070 "offlinet_timeout_max to less than 120 as it will saturate instantly. General "
 1071 "rule here should be to set offline_timeout_max to at least 4 times "
 1072 "offline_timeout."
 1073 msgstr ""
 1074 
 1075 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1076 #: sssd.conf.5.xml:784
 1077 msgid ""
 1078 "Although a value between 0 and offline_timeout may be specified, it has the "
 1079 "effect of overriding the offline_timeout value so is of little use."
 1080 msgstr ""
 1081 
 1082 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1083 #: sssd.conf.5.xml:789
 1084 msgid "Default: 3600"
 1085 msgstr ""
 1086 
 1087 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1088 #: sssd.conf.5.xml:794
 1089 msgid "responder_idle_timeout"
 1090 msgstr ""
 1091 
 1092 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1093 #: sssd.conf.5.xml:797
 1094 msgid ""
 1095 "This option specifies the number of seconds that an SSSD responder process "
 1096 "can be up without being used. This value is limited in order to avoid "
 1097 "resource exhaustion on the system.  The minimum acceptable value for this "
 1098 "option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
 1099 "will be set up to the responder.  This option only has effect when SSSD is "
 1100 "built with systemd support and when services are either socket or D-Bus "
 1101 "activated."
 1102 msgstr ""
 1103 
 1104 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 1105 #: sssd.conf.5.xml:811 sssd.conf.5.xml:1085 sssd.conf.5.xml:2090
 1106 #: sssd-ldap.5.xml:326
 1107 msgid "Default: 300"
 1108 msgstr ""
 1109 
 1110 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1111 #: sssd.conf.5.xml:816
 1112 msgid "cache_first"
 1113 msgstr ""
 1114 
 1115 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1116 #: sssd.conf.5.xml:819
 1117 msgid ""
 1118 "This option specifies whether the responder should query all caches before "
 1119 "querying the Data Providers."
 1120 msgstr ""
 1121 
 1122 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 1123 #: sssd.conf.5.xml:831
 1124 msgid "NSS configuration options"
 1125 msgstr ""
 1126 
 1127 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 1128 #: sssd.conf.5.xml:833
 1129 msgid ""
 1130 "These options can be used to configure the Name Service Switch (NSS) "
 1131 "service."
 1132 msgstr ""
 1133 
 1134 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1135 #: sssd.conf.5.xml:838
 1136 msgid "enum_cache_timeout (integer)"
 1137 msgstr ""
 1138 
 1139 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1140 #: sssd.conf.5.xml:841
 1141 msgid ""
 1142 "How many seconds should nss_sss cache enumerations (requests for info about "
 1143 "all users)"
 1144 msgstr ""
 1145 
 1146 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1147 #: sssd.conf.5.xml:845
 1148 msgid "Default: 120"
 1149 msgstr ""
 1150 
 1151 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1152 #: sssd.conf.5.xml:850
 1153 msgid "entry_cache_nowait_percentage (integer)"
 1154 msgstr ""
 1155 
 1156 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1157 #: sssd.conf.5.xml:853
 1158 msgid ""
 1159 "The entry cache can be set to automatically update entries in the background "
 1160 "if they are requested beyond a percentage of the entry_cache_timeout value "
 1161 "for the domain."
 1162 msgstr ""
 1163 
 1164 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1165 #: sssd.conf.5.xml:859
 1166 msgid ""
 1167 "For example, if the domain's entry_cache_timeout is set to 30s and "
 1168 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
 1169 "after 15 seconds past the last cache update will be returned immediately, "
 1170 "but the SSSD will go and update the cache on its own, so that future "
 1171 "requests will not need to block waiting for a cache update."
 1172 msgstr ""
 1173 
 1174 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1175 #: sssd.conf.5.xml:869
 1176 msgid ""
 1177 "Valid values for this option are 0-99 and represent a percentage of the "
 1178 "entry_cache_timeout for each domain. For performance reasons, this "
 1179 "percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
 1180 "disables this feature)"
 1181 msgstr ""
 1182 
 1183 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1184 #: sssd.conf.5.xml:877 sssd.conf.5.xml:1890
 1185 msgid "Default: 50"
 1186 msgstr ""
 1187 
 1188 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1189 #: sssd.conf.5.xml:882
 1190 msgid "entry_negative_timeout (integer)"
 1191 msgstr ""
 1192 
 1193 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1194 #: sssd.conf.5.xml:885
 1195 msgid ""
 1196 "Specifies for how many seconds nss_sss should cache negative cache hits "
 1197 "(that is, queries for invalid database entries, like nonexistent ones)  "
 1198 "before asking the back end again."
 1199 msgstr ""
 1200 
 1201 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1202 #: sssd.conf.5.xml:891 sssd.conf.5.xml:1914
 1203 msgid "Default: 15"
 1204 msgstr ""
 1205 
 1206 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1207 #: sssd.conf.5.xml:896
 1208 msgid "local_negative_timeout (integer)"
 1209 msgstr ""
 1210 
 1211 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1212 #: sssd.conf.5.xml:899
 1213 msgid ""
 1214 "Specifies for how many seconds nss_sss should keep local users and groups in "
 1215 "negative cache before trying to look it up in the back end again. Setting "
 1216 "the option to 0 disables this feature."
 1217 msgstr ""
 1218 
 1219 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1220 #: sssd.conf.5.xml:905
 1221 msgid "Default: 14400 (4 hours)"
 1222 msgstr ""
 1223 
 1224 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1225 #: sssd.conf.5.xml:910
 1226 msgid "filter_users, filter_groups (string)"
 1227 msgstr ""
 1228 
 1229 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1230 #: sssd.conf.5.xml:913
 1231 msgid ""
 1232 "Exclude certain users or groups from being fetched from the sss NSS "
 1233 "database. This is particularly useful for system accounts. This option can "
 1234 "also be set per-domain or include fully-qualified names to filter only users "
 1235 "from the particular domain or by a user principal name (UPN)."
 1236 msgstr ""
 1237 
 1238 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1239 #: sssd.conf.5.xml:921
 1240 msgid ""
 1241 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 1242 "members, since filtering happens after they are propagated for returning via "
 1243 "NSS. E.g. a group having a member group filtered out will still have the "
 1244 "member users of the latter listed."
 1245 msgstr ""
 1246 
 1247 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1248 #: sssd.conf.5.xml:929
 1249 msgid "Default: root"
 1250 msgstr ""
 1251 
 1252 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1253 #: sssd.conf.5.xml:934
 1254 msgid "filter_users_in_groups (bool)"
 1255 msgstr ""
 1256 
 1257 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1258 #: sssd.conf.5.xml:937
 1259 msgid "If you want filtered user still be group members set this option to false."
 1260 msgstr ""
 1261 
 1262 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1263 #: sssd.conf.5.xml:948
 1264 msgid "fallback_homedir (string)"
 1265 msgstr ""
 1266 
 1267 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1268 #: sssd.conf.5.xml:951
 1269 msgid ""
 1270 "Set a default template for a user's home directory if one is not specified "
 1271 "explicitly by the domain's data provider."
 1272 msgstr ""
 1273 
 1274 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1275 #: sssd.conf.5.xml:956
 1276 msgid "The available values for this option are the same as for override_homedir."
 1277 msgstr ""
 1278 
 1279 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 1280 #: sssd.conf.5.xml:962
 1281 #, no-wrap
 1282 msgid ""
 1283 "fallback_homedir = /home/%u\n"
 1284 "                            "
 1285 msgstr ""
 1286 
 1287 #. type: Content of: <varlistentry><listitem><para>
 1288 #: sssd.conf.5.xml:960 sssd.conf.5.xml:1481 sssd.conf.5.xml:1500
 1289 #: sssd-krb5.5.xml:592 include/override_homedir.xml:59
 1290 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 1291 msgstr ""
 1292 
 1293 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1294 #: sssd.conf.5.xml:966
 1295 msgid "Default: not set (no substitution for unset home directories)"
 1296 msgstr ""
 1297 
 1298 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1299 #: sssd.conf.5.xml:972
 1300 msgid "override_shell (string)"
 1301 msgstr ""
 1302 
 1303 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1304 #: sssd.conf.5.xml:975
 1305 msgid ""
 1306 "Override the login shell for all users. This option supersedes any other "
 1307 "shell options if it takes effect and can be set either in the [nss] section "
 1308 "or per-domain."
 1309 msgstr ""
 1310 
 1311 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1312 #: sssd.conf.5.xml:981
 1313 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 1314 msgstr ""
 1315 
 1316 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1317 #: sssd.conf.5.xml:987
 1318 msgid "allowed_shells (string)"
 1319 msgstr ""
 1320 
 1321 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1322 #: sssd.conf.5.xml:990
 1323 msgid "Restrict user shell to one of the listed values. The order of evaluation is:"
 1324 msgstr ""
 1325 
 1326 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1327 #: sssd.conf.5.xml:993
 1328 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 1329 msgstr ""
 1330 
 1331 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1332 #: sssd.conf.5.xml:997
 1333 msgid ""
 1334 "2. If the shell is in the allowed_shells list but not in "
 1335 "<quote>/etc/shells</quote>, use the value of the shell_fallback parameter."
 1336 msgstr ""
 1337 
 1338 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1339 #: sssd.conf.5.xml:1002
 1340 msgid ""
 1341 "3. If the shell is not in the allowed_shells list and not in "
 1342 "<quote>/etc/shells</quote>, a nologin shell is used."
 1343 msgstr ""
 1344 
 1345 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1346 #: sssd.conf.5.xml:1007
 1347 msgid "The wildcard (*) can be used to allow any shell."
 1348 msgstr ""
 1349 
 1350 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1351 #: sssd.conf.5.xml:1010
 1352 msgid ""
 1353 "The (*) is useful if you want to use shell_fallback in case that user's "
 1354 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
 1355 "allowed shells in allowed_shells would be to much overhead."
 1356 msgstr ""
 1357 
 1358 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1359 #: sssd.conf.5.xml:1017
 1360 msgid "An empty string for shell is passed as-is to libc."
 1361 msgstr ""
 1362 
 1363 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1364 #: sssd.conf.5.xml:1020
 1365 msgid ""
 1366 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 1367 "that a restart of the SSSD is required in case a new shell is installed."
 1368 msgstr ""
 1369 
 1370 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1371 #: sssd.conf.5.xml:1024
 1372 msgid "Default: Not set. The user shell is automatically used."
 1373 msgstr ""
 1374 
 1375 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1376 #: sssd.conf.5.xml:1029
 1377 msgid "vetoed_shells (string)"
 1378 msgstr ""
 1379 
 1380 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1381 #: sssd.conf.5.xml:1032
 1382 msgid "Replace any instance of these shells with the shell_fallback"
 1383 msgstr ""
 1384 
 1385 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1386 #: sssd.conf.5.xml:1037
 1387 msgid "shell_fallback (string)"
 1388 msgstr ""
 1389 
 1390 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1391 #: sssd.conf.5.xml:1040
 1392 msgid ""
 1393 "The default shell to use if an allowed shell is not installed on the "
 1394 "machine."
 1395 msgstr ""
 1396 
 1397 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1398 #: sssd.conf.5.xml:1044
 1399 msgid "Default: /bin/sh"
 1400 msgstr ""
 1401 
 1402 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1403 #: sssd.conf.5.xml:1049
 1404 msgid "default_shell"
 1405 msgstr ""
 1406 
 1407 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1408 #: sssd.conf.5.xml:1052
 1409 msgid ""
 1410 "The default shell to use if the provider does not return one during "
 1411 "lookup. This option can be specified globally in the [nss] section or "
 1412 "per-domain."
 1413 msgstr ""
 1414 
 1415 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1416 #: sssd.conf.5.xml:1058
 1417 msgid ""
 1418 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 1419 "substitute something sensible when necessary, usually /bin/sh)"
 1420 msgstr ""
 1421 
 1422 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1423 #: sssd.conf.5.xml:1065 sssd.conf.5.xml:1407
 1424 msgid "get_domains_timeout (int)"
 1425 msgstr ""
 1426 
 1427 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1428 #: sssd.conf.5.xml:1068 sssd.conf.5.xml:1410
 1429 msgid ""
 1430 "Specifies time in seconds for which the list of subdomains will be "
 1431 "considered valid."
 1432 msgstr ""
 1433 
 1434 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1435 #: sssd.conf.5.xml:1077
 1436 msgid "memcache_timeout (integer)"
 1437 msgstr ""
 1438 
 1439 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1440 #: sssd.conf.5.xml:1080
 1441 msgid ""
 1442 "Specifies time in seconds for which records in the in-memory cache will be "
 1443 "valid. Setting this option to zero will disable the in-memory cache."
 1444 msgstr ""
 1445 
 1446 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1447 #: sssd.conf.5.xml:1088
 1448 msgid ""
 1449 "WARNING: Disabling the in-memory cache will have significant negative impact "
 1450 "on SSSD's performance and should only be used for testing."
 1451 msgstr ""
 1452 
 1453 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1454 #: sssd.conf.5.xml:1094 sssd.conf.5.xml:1119 sssd.conf.5.xml:1144
 1455 #: sssd.conf.5.xml:1169
 1456 msgid ""
 1457 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 1458 "client applications will not use the fast in-memory cache."
 1459 msgstr ""
 1460 
 1461 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1462 #: sssd.conf.5.xml:1102
 1463 msgid "memcache_size_passwd (integer)"
 1464 msgstr ""
 1465 
 1466 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1467 #: sssd.conf.5.xml:1105
 1468 msgid ""
 1469 "Size (in megabytes) of the data table allocated inside fast in-memory cache "
 1470 "for passwd requests.  Setting the size to 0 will disable the passwd "
 1471 "in-memory cache."
 1472 msgstr ""
 1473 
 1474 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 1475 #: sssd.conf.5.xml:1111 sssd.conf.5.xml:2623 sssd-ldap.5.xml:513
 1476 msgid "Default: 8"
 1477 msgstr ""
 1478 
 1479 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1480 #: sssd.conf.5.xml:1114 sssd.conf.5.xml:1139 sssd.conf.5.xml:1164
 1481 msgid ""
 1482 "WARNING: Disabled or too small in-memory cache can have significant negative "
 1483 "impact on SSSD's performance."
 1484 msgstr ""
 1485 
 1486 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1487 #: sssd.conf.5.xml:1127
 1488 msgid "memcache_size_group (integer)"
 1489 msgstr ""
 1490 
 1491 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1492 #: sssd.conf.5.xml:1130
 1493 msgid ""
 1494 "Size (in megabytes) of the data table allocated inside fast in-memory cache "
 1495 "for group requests.  Setting the size to 0 will disable the group in-memory "
 1496 "cache."
 1497 msgstr ""
 1498 
 1499 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 1500 #: sssd.conf.5.xml:1136 sssd.conf.5.xml:3340 sssd-ldap.5.xml:453
 1501 #: sssd-ldap.5.xml:495 sssd-krb5.5.xml:248 include/failover.xml:116
 1502 msgid "Default: 6"
 1503 msgstr ""
 1504 
 1505 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1506 #: sssd.conf.5.xml:1152
 1507 msgid "memcache_size_initgroups (integer)"
 1508 msgstr ""
 1509 
 1510 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1511 #: sssd.conf.5.xml:1155
 1512 msgid ""
 1513 "Size (in megabytes) of the data table allocated inside fast in-memory cache "
 1514 "for initgroups requests.  Setting the size to 0 will disable the initgroups "
 1515 "in-memory cache."
 1516 msgstr ""
 1517 
 1518 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 1519 #: sssd.conf.5.xml:1177 sssd-ifp.5.xml:74
 1520 msgid "user_attributes (string)"
 1521 msgstr ""
 1522 
 1523 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1524 #: sssd.conf.5.xml:1180
 1525 msgid ""
 1526 "Some of the additional NSS responder requests can return more attributes "
 1527 "than just the POSIX ones defined by the NSS interface. The list of "
 1528 "attributes is controlled by this option. It is handled the same way as the "
 1529 "<quote>user_attributes</quote> option of the InfoPipe responder (see "
 1530 "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> "
 1531 "<manvolnum>5</manvolnum> </citerefentry> for details) but with no default "
 1532 "values."
 1533 msgstr ""
 1534 
 1535 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1536 #: sssd.conf.5.xml:1193
 1537 msgid ""
 1538 "To make configuration more easy the NSS responder will check the InfoPipe "
 1539 "option if it is not set for the NSS responder."
 1540 msgstr ""
 1541 
 1542 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1543 #: sssd.conf.5.xml:1198
 1544 msgid "Default: not set, fallback to InfoPipe option"
 1545 msgstr ""
 1546 
 1547 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1548 #: sssd.conf.5.xml:1203
 1549 msgid "pwfield (string)"
 1550 msgstr ""
 1551 
 1552 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1553 #: sssd.conf.5.xml:1206
 1554 msgid ""
 1555 "The value that NSS operations that return users or groups will return for "
 1556 "the <quote>password</quote> field."
 1557 msgstr ""
 1558 
 1559 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1560 #: sssd.conf.5.xml:1211
 1561 msgid "Default: <quote>*</quote>"
 1562 msgstr ""
 1563 
 1564 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1565 #: sssd.conf.5.xml:1214
 1566 msgid ""
 1567 "Note: This option can also be set per-domain which overwrites the value in "
 1568 "[nss] section."
 1569 msgstr ""
 1570 
 1571 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1572 #: sssd.conf.5.xml:1218
 1573 msgid ""
 1574 "Default: <quote>not set</quote> (remote domains), <quote>x</quote> (the "
 1575 "files domain), <quote>x</quote> (proxy domain with nss_files and "
 1576 "sssd-shadowutils target)"
 1577 msgstr ""
 1578 
 1579 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 1580 #: sssd.conf.5.xml:1228
 1581 msgid "PAM configuration options"
 1582 msgstr ""
 1583 
 1584 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 1585 #: sssd.conf.5.xml:1230
 1586 msgid ""
 1587 "These options can be used to configure the Pluggable Authentication Module "
 1588 "(PAM) service."
 1589 msgstr ""
 1590 
 1591 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1592 #: sssd.conf.5.xml:1235
 1593 msgid "offline_credentials_expiration (integer)"
 1594 msgstr ""
 1595 
 1596 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1597 #: sssd.conf.5.xml:1238
 1598 msgid ""
 1599 "If the authentication provider is offline, how long should we allow cached "
 1600 "logins (in days since the last successful online login)."
 1601 msgstr ""
 1602 
 1603 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1604 #: sssd.conf.5.xml:1243 sssd.conf.5.xml:1256
 1605 msgid "Default: 0 (No limit)"
 1606 msgstr ""
 1607 
 1608 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1609 #: sssd.conf.5.xml:1249
 1610 msgid "offline_failed_login_attempts (integer)"
 1611 msgstr ""
 1612 
 1613 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1614 #: sssd.conf.5.xml:1252
 1615 msgid ""
 1616 "If the authentication provider is offline, how many failed login attempts "
 1617 "are allowed."
 1618 msgstr ""
 1619 
 1620 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1621 #: sssd.conf.5.xml:1262
 1622 msgid "offline_failed_login_delay (integer)"
 1623 msgstr ""
 1624 
 1625 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1626 #: sssd.conf.5.xml:1265
 1627 msgid ""
 1628 "The time in minutes which has to pass after offline_failed_login_attempts "
 1629 "has been reached before a new login attempt is possible."
 1630 msgstr ""
 1631 
 1632 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1633 #: sssd.conf.5.xml:1270
 1634 msgid ""
 1635 "If set to 0 the user cannot authenticate offline if "
 1636 "offline_failed_login_attempts has been reached. Only a successful online "
 1637 "authentication can enable offline authentication again."
 1638 msgstr ""
 1639 
 1640 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1641 #: sssd.conf.5.xml:1276 sssd.conf.5.xml:1374
 1642 msgid "Default: 5"
 1643 msgstr ""
 1644 
 1645 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1646 #: sssd.conf.5.xml:1282
 1647 msgid "pam_verbosity (integer)"
 1648 msgstr ""
 1649 
 1650 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1651 #: sssd.conf.5.xml:1285
 1652 msgid ""
 1653 "Controls what kind of messages are shown to the user during "
 1654 "authentication. The higher the number to more messages are displayed."
 1655 msgstr ""
 1656 
 1657 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1658 #: sssd.conf.5.xml:1290
 1659 msgid "Currently sssd supports the following values:"
 1660 msgstr ""
 1661 
 1662 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1663 #: sssd.conf.5.xml:1293
 1664 msgid "<emphasis>0</emphasis>: do not show any message"
 1665 msgstr ""
 1666 
 1667 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1668 #: sssd.conf.5.xml:1296
 1669 msgid "<emphasis>1</emphasis>: show only important messages"
 1670 msgstr ""
 1671 
 1672 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1673 #: sssd.conf.5.xml:1300
 1674 msgid "<emphasis>2</emphasis>: show informational messages"
 1675 msgstr ""
 1676 
 1677 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1678 #: sssd.conf.5.xml:1303
 1679 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 1680 msgstr ""
 1681 
 1682 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 1683 #: sssd.conf.5.xml:1307 sssd.8.xml:63
 1684 msgid "Default: 1"
 1685 msgstr ""
 1686 
 1687 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1688 #: sssd.conf.5.xml:1313
 1689 msgid "pam_response_filter (string)"
 1690 msgstr ""
 1691 
 1692 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1693 #: sssd.conf.5.xml:1316
 1694 msgid ""
 1695 "A comma separated list of strings which allows to remove (filter) data sent "
 1696 "by the PAM responder to pam_sss PAM module. There are different kind of "
 1697 "responses sent to pam_sss e.g. messages displayed to the user or environment "
 1698 "variables which should be set by pam_sss."
 1699 msgstr ""
 1700 
 1701 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1702 #: sssd.conf.5.xml:1324
 1703 msgid ""
 1704 "While messages already can be controlled with the help of the pam_verbosity "
 1705 "option this option allows to filter out other kind of responses as well."
 1706 msgstr ""
 1707 
 1708 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 1709 #: sssd.conf.5.xml:1331
 1710 msgid "ENV"
 1711 msgstr ""
 1712 
 1713 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 1714 #: sssd.conf.5.xml:1332
 1715 msgid "Do not send any environment variables to any service."
 1716 msgstr ""
 1717 
 1718 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 1719 #: sssd.conf.5.xml:1335
 1720 msgid "ENV:var_name"
 1721 msgstr ""
 1722 
 1723 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 1724 #: sssd.conf.5.xml:1336
 1725 msgid "Do not send environment variable var_name to any service."
 1726 msgstr ""
 1727 
 1728 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 1729 #: sssd.conf.5.xml:1340
 1730 msgid "ENV:var_name:service"
 1731 msgstr ""
 1732 
 1733 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 1734 #: sssd.conf.5.xml:1341
 1735 msgid "Do not send environment variable var_name to service."
 1736 msgstr ""
 1737 
 1738 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1739 #: sssd.conf.5.xml:1329
 1740 msgid ""
 1741 "Currently the following filters are supported: <placeholder "
 1742 "type=\"variablelist\" id=\"0\"/>"
 1743 msgstr ""
 1744 
 1745 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1746 #: sssd.conf.5.xml:1351
 1747 msgid "Example: ENV:KRB5CCNAME:sudo-i"
 1748 msgstr ""
 1749 
 1750 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1751 #: sssd.conf.5.xml:1357
 1752 msgid "pam_id_timeout (integer)"
 1753 msgstr ""
 1754 
 1755 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1756 #: sssd.conf.5.xml:1360
 1757 msgid ""
 1758 "For any PAM request while SSSD is online, the SSSD will attempt to "
 1759 "immediately update the cached identity information for the user in order to "
 1760 "ensure that authentication takes place with the latest information."
 1761 msgstr ""
 1762 
 1763 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1764 #: sssd.conf.5.xml:1366
 1765 msgid ""
 1766 "A complete PAM conversation may perform multiple PAM requests, such as "
 1767 "account management and session opening. This option controls (on a "
 1768 "per-client-application basis) how long (in seconds) we can cache the "
 1769 "identity information to avoid excessive round-trips to the identity "
 1770 "provider."
 1771 msgstr ""
 1772 
 1773 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1774 #: sssd.conf.5.xml:1380
 1775 msgid "pam_pwd_expiration_warning (integer)"
 1776 msgstr ""
 1777 
 1778 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 1779 #: sssd.conf.5.xml:1383 sssd.conf.5.xml:2647
 1780 msgid "Display a warning N days before the password expires."
 1781 msgstr ""
 1782 
 1783 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1784 #: sssd.conf.5.xml:1386
 1785 msgid ""
 1786 "Please note that the backend server has to provide information about the "
 1787 "expiration time of the password.  If this information is missing, sssd "
 1788 "cannot display a warning."
 1789 msgstr ""
 1790 
 1791 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 1792 #: sssd.conf.5.xml:1392 sssd.conf.5.xml:2650
 1793 msgid ""
 1794 "If zero is set, then this filter is not applied, i.e. if the expiration "
 1795 "warning was received from backend server, it will automatically be "
 1796 "displayed."
 1797 msgstr ""
 1798 
 1799 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1800 #: sssd.conf.5.xml:1397
 1801 msgid ""
 1802 "This setting can be overridden by setting "
 1803 "<emphasis>pwd_expiration_warning</emphasis> for a particular domain."
 1804 msgstr ""
 1805 
 1806 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 1807 #: sssd.conf.5.xml:1402 sssd.conf.5.xml:3534 sssd-ldap.5.xml:549 sssd.8.xml:79
 1808 msgid "Default: 0"
 1809 msgstr ""
 1810 
 1811 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1812 #: sssd.conf.5.xml:1419
 1813 msgid "pam_trusted_users (string)"
 1814 msgstr ""
 1815 
 1816 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1817 #: sssd.conf.5.xml:1422
 1818 msgid ""
 1819 "Specifies the comma-separated list of UID values or user names that are "
 1820 "allowed to run PAM conversations against trusted domains.  Users not "
 1821 "included in this list can only access domains marked as public with "
 1822 "<quote>pam_public_domains</quote>.  User names are resolved to UIDs at "
 1823 "startup."
 1824 msgstr ""
 1825 
 1826 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1827 #: sssd.conf.5.xml:1432
 1828 msgid "Default: All users are considered trusted by default"
 1829 msgstr ""
 1830 
 1831 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1832 #: sssd.conf.5.xml:1436
 1833 msgid ""
 1834 "Please note that UID 0 is always allowed to access the PAM responder even in "
 1835 "case it is not in the pam_trusted_users list."
 1836 msgstr ""
 1837 
 1838 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1839 #: sssd.conf.5.xml:1443
 1840 msgid "pam_public_domains (string)"
 1841 msgstr ""
 1842 
 1843 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1844 #: sssd.conf.5.xml:1446
 1845 msgid ""
 1846 "Specifies the comma-separated list of domain names that are accessible even "
 1847 "to untrusted users."
 1848 msgstr ""
 1849 
 1850 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1851 #: sssd.conf.5.xml:1450
 1852 msgid "Two special values for pam_public_domains option are defined:"
 1853 msgstr ""
 1854 
 1855 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1856 #: sssd.conf.5.xml:1454
 1857 msgid "all (Untrusted users are allowed to access all domains in PAM responder.)"
 1858 msgstr ""
 1859 
 1860 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1861 #: sssd.conf.5.xml:1458
 1862 msgid ""
 1863 "none (Untrusted users are not allowed to access any domains PAM in "
 1864 "responder.)"
 1865 msgstr ""
 1866 
 1867 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 1868 #: sssd.conf.5.xml:1462 sssd.conf.5.xml:1487 sssd.conf.5.xml:1506
 1869 #: sssd.conf.5.xml:1684 sssd.conf.5.xml:2396 sssd.conf.5.xml:3463
 1870 #: sssd-ldap.5.xml:1091
 1871 msgid "Default: none"
 1872 msgstr ""
 1873 
 1874 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1875 #: sssd.conf.5.xml:1467
 1876 msgid "pam_account_expired_message (string)"
 1877 msgstr ""
 1878 
 1879 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1880 #: sssd.conf.5.xml:1470
 1881 msgid ""
 1882 "Allows a custom expiration message to be set, replacing the default "
 1883 "'Permission denied' message."
 1884 msgstr ""
 1885 
 1886 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1887 #: sssd.conf.5.xml:1475
 1888 msgid ""
 1889 "Note: Please be aware that message is only printed for the SSH service "
 1890 "unless pam_verbosity is set to 3 (show all messages and debug information)."
 1891 msgstr ""
 1892 
 1893 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 1894 #: sssd.conf.5.xml:1483
 1895 #, no-wrap
 1896 msgid ""
 1897 "pam_account_expired_message = Account expired, please contact help desk.\n"
 1898 "                            "
 1899 msgstr ""
 1900 
 1901 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1902 #: sssd.conf.5.xml:1492
 1903 msgid "pam_account_locked_message (string)"
 1904 msgstr ""
 1905 
 1906 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1907 #: sssd.conf.5.xml:1495
 1908 msgid ""
 1909 "Allows a custom lockout message to be set, replacing the default 'Permission "
 1910 "denied' message."
 1911 msgstr ""
 1912 
 1913 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 1914 #: sssd.conf.5.xml:1502
 1915 #, no-wrap
 1916 msgid ""
 1917 "pam_account_locked_message = Account locked, please contact help desk.\n"
 1918 "                            "
 1919 msgstr ""
 1920 
 1921 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1922 #: sssd.conf.5.xml:1511
 1923 msgid "pam_cert_auth (bool)"
 1924 msgstr ""
 1925 
 1926 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1927 #: sssd.conf.5.xml:1514
 1928 msgid ""
 1929 "Enable certificate based Smartcard authentication.  Since this requires "
 1930 "additional communication with the Smartcard which will delay the "
 1931 "authentication process this option is disabled by default."
 1932 msgstr ""
 1933 
 1934 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 1935 #: sssd.conf.5.xml:1520 sssd-ldap.5.xml:590 sssd-ldap.5.xml:611
 1936 #: sssd-ldap.5.xml:1169 sssd-ad.5.xml:482 sssd-ad.5.xml:558 sssd-ad.5.xml:1103
 1937 #: sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:244
 1938 msgid "Default: False"
 1939 msgstr ""
 1940 
 1941 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1942 #: sssd.conf.5.xml:1525
 1943 msgid "pam_cert_db_path (string)"
 1944 msgstr ""
 1945 
 1946 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1947 #: sssd.conf.5.xml:1528
 1948 msgid "The path to the certificate database."
 1949 msgstr ""
 1950 
 1951 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 1952 #: sssd.conf.5.xml:1531 sssd.conf.5.xml:2016 sssd.conf.5.xml:3990
 1953 msgid "Default:"
 1954 msgstr ""
 1955 
 1956 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 1957 #: sssd.conf.5.xml:1533 sssd.conf.5.xml:2018
 1958 msgid ""
 1959 "/etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted CA "
 1960 "certificates in PEM format)"
 1961 msgstr ""
 1962 
 1963 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1964 #: sssd.conf.5.xml:1543
 1965 msgid "p11_child_timeout (integer)"
 1966 msgstr ""
 1967 
 1968 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1969 #: sssd.conf.5.xml:1546
 1970 msgid "How many seconds will pam_sss wait for p11_child to finish."
 1971 msgstr ""
 1972 
 1973 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1974 #: sssd.conf.5.xml:1555
 1975 msgid "pam_app_services (string)"
 1976 msgstr ""
 1977 
 1978 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1979 #: sssd.conf.5.xml:1558
 1980 msgid ""
 1981 "Which PAM services are permitted to contact domains of type "
 1982 "<quote>application</quote>"
 1983 msgstr ""
 1984 
 1985 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 1986 #: sssd.conf.5.xml:1567
 1987 msgid "pam_p11_allowed_services (integer)"
 1988 msgstr ""
 1989 
 1990 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 1991 #: sssd.conf.5.xml:1570
 1992 msgid ""
 1993 "A comma-separated list of PAM service names for which it will be allowed to "
 1994 "use Smartcards."
 1995 msgstr ""
 1996 
 1997 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 1998 #: sssd.conf.5.xml:1585
 1999 #, no-wrap
 2000 msgid ""
 2001 "pam_p11_allowed_services = +my_pam_service, -login\n"
 2002 "                            "
 2003 msgstr ""
 2004 
 2005 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2006 #: sssd.conf.5.xml:1574
 2007 msgid ""
 2008 "It is possible to add another PAM service name to the default set by using "
 2009 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
 2010 "the default set by using <quote>-service_name</quote>. For example, in order "
 2011 "to replace a default PAM service name for authentication with Smartcards "
 2012 "(e.g. <quote>login</quote>) with a custom PAM service name "
 2013 "(e.g. <quote>my_pam_service</quote>), you would use the following "
 2014 "configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
 2015 msgstr ""
 2016 
 2017 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2018 #: sssd.conf.5.xml:1589 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
 2019 #: sssd-ad.5.xml:846 sssd-ad.5.xml:924
 2020 msgid "Default: the default set of PAM service names includes:"
 2021 msgstr ""
 2022 
 2023 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2024 #: sssd.conf.5.xml:1594 sssd-ad.5.xml:625
 2025 msgid "login"
 2026 msgstr ""
 2027 
 2028 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2029 #: sssd.conf.5.xml:1599 sssd-ad.5.xml:630
 2030 msgid "su"
 2031 msgstr ""
 2032 
 2033 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2034 #: sssd.conf.5.xml:1604 sssd-ad.5.xml:635
 2035 msgid "su-l"
 2036 msgstr ""
 2037 
 2038 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2039 #: sssd.conf.5.xml:1609 sssd-ad.5.xml:650
 2040 msgid "gdm-smartcard"
 2041 msgstr ""
 2042 
 2043 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2044 #: sssd.conf.5.xml:1614 sssd-ad.5.xml:645
 2045 msgid "gdm-password"
 2046 msgstr ""
 2047 
 2048 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2049 #: sssd.conf.5.xml:1619 sssd-ad.5.xml:655
 2050 msgid "kdm"
 2051 msgstr ""
 2052 
 2053 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2054 #: sssd.conf.5.xml:1624 sssd-ad.5.xml:933
 2055 msgid "sudo"
 2056 msgstr ""
 2057 
 2058 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2059 #: sssd.conf.5.xml:1629 sssd-ad.5.xml:938
 2060 msgid "sudo-i"
 2061 msgstr ""
 2062 
 2063 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2064 #: sssd.conf.5.xml:1634
 2065 msgid "gnome-screensaver"
 2066 msgstr ""
 2067 
 2068 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2069 #: sssd.conf.5.xml:1642
 2070 msgid "p11_wait_for_card_timeout (integer)"
 2071 msgstr ""
 2072 
 2073 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2074 #: sssd.conf.5.xml:1645
 2075 msgid ""
 2076 "If Smartcard authentication is required how many extra seconds in addition "
 2077 "to p11_child_timeout should the PAM responder wait until a Smartcard is "
 2078 "inserted."
 2079 msgstr ""
 2080 
 2081 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2082 #: sssd.conf.5.xml:1656
 2083 msgid "p11_uri (string)"
 2084 msgstr ""
 2085 
 2086 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2087 #: sssd.conf.5.xml:1659
 2088 msgid ""
 2089 "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the "
 2090 "selection of devices used for Smartcard authentication. By default SSSD's "
 2091 "p11_child will search for a PKCS#11 slot (reader)  where the 'removable' "
 2092 "flags is set and read the certificates from the inserted token from the "
 2093 "first slot found. If multiple readers are connected p11_uri can be used to "
 2094 "tell p11_child to use a specific reader."
 2095 msgstr ""
 2096 
 2097 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 2098 #: sssd.conf.5.xml:1672
 2099 #, no-wrap
 2100 msgid ""
 2101 "p11_uri = slot-description=My%20Smartcard%20Reader\n"
 2102 "                            "
 2103 msgstr ""
 2104 
 2105 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 2106 #: sssd.conf.5.xml:1676
 2107 #, no-wrap
 2108 msgid ""
 2109 "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n"
 2110 "                            "
 2111 msgstr ""
 2112 
 2113 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2114 #: sssd.conf.5.xml:1670
 2115 msgid ""
 2116 "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder "
 2117 "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the "
 2118 "debug output of p11_child. As an alternative the GnuTLS utility 'p11tool' "
 2119 "with e.g. the '--list-all' will show PKCS#11 URIs as well."
 2120 msgstr ""
 2121 
 2122 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2123 #: sssd.conf.5.xml:1689
 2124 msgid "pam_initgroups_scheme"
 2125 msgstr ""
 2126 
 2127 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 2128 #: sssd.conf.5.xml:1697
 2129 msgid "always"
 2130 msgstr ""
 2131 
 2132 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 2133 #: sssd.conf.5.xml:1698
 2134 msgid "Always do an online lookup, please note that pam_id_timeout still applies"
 2135 msgstr ""
 2136 
 2137 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 2138 #: sssd.conf.5.xml:1702
 2139 msgid "no_session"
 2140 msgstr ""
 2141 
 2142 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 2143 #: sssd.conf.5.xml:1703
 2144 msgid ""
 2145 "Only do an online lookup if there is no active session of the user, i.e. if "
 2146 "the user is currently not logged in"
 2147 msgstr ""
 2148 
 2149 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 2150 #: sssd.conf.5.xml:1708
 2151 msgid "never"
 2152 msgstr ""
 2153 
 2154 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 2155 #: sssd.conf.5.xml:1709
 2156 msgid ""
 2157 "Never force an online lookup, use the data from the cache as long as they "
 2158 "are not expired"
 2159 msgstr ""
 2160 
 2161 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2162 #: sssd.conf.5.xml:1692
 2163 msgid ""
 2164 "The PAM responder can force an online lookup to get the current group "
 2165 "memberships of the user trying to log in. This option controls when this "
 2166 "should be done and the following values are allowed: <placeholder "
 2167 "type=\"variablelist\" id=\"0\"/>"
 2168 msgstr ""
 2169 
 2170 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2171 #: sssd.conf.5.xml:1716
 2172 msgid "Default: no_session"
 2173 msgstr ""
 2174 
 2175 #. type: Content of: <reference><refentry><refsect1><para>
 2176 #: sssd.conf.5.xml:1721 sssd.conf.5.xml:3929
 2177 msgid "pam_gssapi_services"
 2178 msgstr ""
 2179 
 2180 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2181 #: sssd.conf.5.xml:1724
 2182 msgid ""
 2183 "Comma separated list of PAM services that are allowed to try GSSAPI "
 2184 "authentication using pam_sss_gss.so module."
 2185 msgstr ""
 2186 
 2187 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2188 #: sssd.conf.5.xml:1729
 2189 msgid ""
 2190 "To disable GSSAPI authentication, set this option to <quote>-</quote> "
 2191 "(dash)."
 2192 msgstr ""
 2193 
 2194 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2195 #: sssd.conf.5.xml:1733 sssd.conf.5.xml:1764 sssd.conf.5.xml:1802
 2196 msgid ""
 2197 "Note: This option can also be set per-domain which overwrites the value in "
 2198 "[pam] section. It can also be set for trusted domain which overwrites the "
 2199 "value in the domain section."
 2200 msgstr ""
 2201 
 2202 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 2203 #: sssd.conf.5.xml:1741
 2204 #, no-wrap
 2205 msgid ""
 2206 "pam_gssapi_services = sudo, sudo-i\n"
 2207 "                            "
 2208 msgstr ""
 2209 
 2210 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2211 #: sssd.conf.5.xml:1739 sssd.conf.5.xml:3457 sssd-secrets.5.xml:448
 2212 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 2213 msgstr ""
 2214 
 2215 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2216 #: sssd.conf.5.xml:1745
 2217 msgid "Default: - (GSSAPI authentication is disabled)"
 2218 msgstr ""
 2219 
 2220 #. type: Content of: <reference><refentry><refsect1><para>
 2221 #: sssd.conf.5.xml:1750 sssd.conf.5.xml:3930
 2222 msgid "pam_gssapi_check_upn"
 2223 msgstr ""
 2224 
 2225 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2226 #: sssd.conf.5.xml:1753
 2227 msgid ""
 2228 "If True, SSSD will require that the Kerberos user principal that "
 2229 "successfully authenticated through GSSAPI can be associated with the user "
 2230 "who is being authenticated. Authentication will fail if the check fails."
 2231 msgstr ""
 2232 
 2233 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2234 #: sssd.conf.5.xml:1760
 2235 msgid ""
 2236 "If False, every user that is able to obtained required service ticket will "
 2237 "be authenticated."
 2238 msgstr ""
 2239 
 2240 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2241 #: sssd.conf.5.xml:1770 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
 2242 msgid "Default: True"
 2243 msgstr ""
 2244 
 2245 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2246 #: sssd.conf.5.xml:1775
 2247 msgid "pam_gssapi_indicators_map"
 2248 msgstr ""
 2249 
 2250 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2251 #: sssd.conf.5.xml:1778
 2252 msgid ""
 2253 "Comma separated list of authentication indicators required to be present in "
 2254 "a Kerberos ticket to access a PAM service that is allowed to try GSSAPI "
 2255 "authentication using pam_sss_gss.so module."
 2256 msgstr ""
 2257 
 2258 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2259 #: sssd.conf.5.xml:1784
 2260 msgid ""
 2261 "Each element of the list can be either an authentication indicator name or a "
 2262 "pair <quote>service:indicator</quote>. Indicators not prefixed with the PAM "
 2263 "service name will be required to access any PAM service configured to be "
 2264 "used with <option>pam_gssapi_services</option>. A resulting list of "
 2265 "indicators per PAM service is then checked against indicators in the "
 2266 "Kerberos ticket during authentication by pam_sss_gss.so. Any indicator from "
 2267 "the ticket that matches the resulting list of indicators for the PAM service "
 2268 "would grant access. If none of the indicators in the list match, access will "
 2269 "be denied. If the resulting list of indicators for the PAM service is empty, "
 2270 "the check will not prevent the access."
 2271 msgstr ""
 2272 
 2273 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2274 #: sssd.conf.5.xml:1797
 2275 msgid ""
 2276 "To disable GSSAPI authentication indicator check, set this option to "
 2277 "<quote>-</quote> (dash). To disable the check for a specific PAM service, "
 2278 "add <quote>service:-</quote>."
 2279 msgstr ""
 2280 
 2281 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2282 #: sssd.conf.5.xml:1808
 2283 msgid ""
 2284 "Following authentication indicators are supported by IPA Kerberos "
 2285 "deployments:"
 2286 msgstr ""
 2287 
 2288 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2289 #: sssd.conf.5.xml:1811
 2290 msgid ""
 2291 "pkinit -- pre-authentication using X.509 certificates -- whether stored in "
 2292 "files or on smart cards."
 2293 msgstr ""
 2294 
 2295 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2296 #: sssd.conf.5.xml:1814
 2297 msgid ""
 2298 "hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a "
 2299 "FAST channel."
 2300 msgstr ""
 2301 
 2302 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2303 #: sssd.conf.5.xml:1817
 2304 msgid "radius -- pre-authentication with the help of a RADIUS server."
 2305 msgstr ""
 2306 
 2307 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 2308 #: sssd.conf.5.xml:1820
 2309 msgid ""
 2310 "otp -- pre-authentication using integrated two-factor authentication (2FA or "
 2311 "one-time password, OTP) in IPA."
 2312 msgstr ""
 2313 
 2314 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 2315 #: sssd.conf.5.xml:1830
 2316 #, no-wrap
 2317 msgid ""
 2318 "pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n"
 2319 "                            "
 2320 msgstr ""
 2321 
 2322 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2323 #: sssd.conf.5.xml:1825
 2324 msgid ""
 2325 "Example: to require access to SUDO services only for users which obtained "
 2326 "their Kerberos tickets with a X.509 certificate pre-authentication (PKINIT), "
 2327 "set <placeholder type=\"programlisting\" id=\"0\"/>"
 2328 msgstr ""
 2329 
 2330 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2331 #: sssd.conf.5.xml:1834
 2332 msgid "Default: not set (use of authentication indicators is not required)"
 2333 msgstr ""
 2334 
 2335 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 2336 #: sssd.conf.5.xml:1842
 2337 msgid "SUDO configuration options"
 2338 msgstr ""
 2339 
 2340 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 2341 #: sssd.conf.5.xml:1844
 2342 msgid ""
 2343 "These options can be used to configure the sudo service.  The detailed "
 2344 "instructions for configuration of <citerefentry> "
 2345 "<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
 2346 "to work with <citerefentry> <refentrytitle>sssd</refentrytitle> "
 2347 "<manvolnum>8</manvolnum> </citerefentry> are in the manual page "
 2348 "<citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
 2349 "<manvolnum>5</manvolnum> </citerefentry>."
 2350 msgstr ""
 2351 
 2352 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2353 #: sssd.conf.5.xml:1861
 2354 msgid "sudo_timed (bool)"
 2355 msgstr ""
 2356 
 2357 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2358 #: sssd.conf.5.xml:1864
 2359 msgid ""
 2360 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 2361 "that implement time-dependent sudoers entries."
 2362 msgstr ""
 2363 
 2364 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2365 #: sssd.conf.5.xml:1876
 2366 msgid "sudo_threshold (integer)"
 2367 msgstr ""
 2368 
 2369 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2370 #: sssd.conf.5.xml:1879
 2371 msgid ""
 2372 "Maximum number of expired rules that can be refreshed at once. If number of "
 2373 "expired rules is below threshold, those rules are refreshed with "
 2374 "<quote>rules refresh</quote> mechanism. If the threshold is exceeded a "
 2375 "<quote>full refresh</quote> of sudo rules is triggered instead. This "
 2376 "threshold number also applies to IPA sudo command and command group "
 2377 "searches."
 2378 msgstr ""
 2379 
 2380 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 2381 #: sssd.conf.5.xml:1898
 2382 msgid "AUTOFS configuration options"
 2383 msgstr ""
 2384 
 2385 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 2386 #: sssd.conf.5.xml:1900
 2387 msgid "These options can be used to configure the autofs service."
 2388 msgstr ""
 2389 
 2390 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2391 #: sssd.conf.5.xml:1904
 2392 msgid "autofs_negative_timeout (integer)"
 2393 msgstr ""
 2394 
 2395 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2396 #: sssd.conf.5.xml:1907
 2397 msgid ""
 2398 "Specifies for how many seconds should the autofs responder negative cache "
 2399 "hits (that is, queries for invalid map entries, like nonexistent ones) "
 2400 "before asking the back end again."
 2401 msgstr ""
 2402 
 2403 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 2404 #: sssd.conf.5.xml:1923
 2405 msgid "SSH configuration options"
 2406 msgstr ""
 2407 
 2408 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 2409 #: sssd.conf.5.xml:1925
 2410 msgid "These options can be used to configure the SSH service."
 2411 msgstr ""
 2412 
 2413 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2414 #: sssd.conf.5.xml:1929
 2415 msgid "ssh_hash_known_hosts (bool)"
 2416 msgstr ""
 2417 
 2418 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2419 #: sssd.conf.5.xml:1932
 2420 msgid ""
 2421 "Whether or not to hash host names and addresses in the managed known_hosts "
 2422 "file."
 2423 msgstr ""
 2424 
 2425 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2426 #: sssd.conf.5.xml:1941
 2427 msgid "ssh_known_hosts_timeout (integer)"
 2428 msgstr ""
 2429 
 2430 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2431 #: sssd.conf.5.xml:1944
 2432 msgid ""
 2433 "How many seconds to keep a host in the managed known_hosts file after its "
 2434 "host keys were requested."
 2435 msgstr ""
 2436 
 2437 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2438 #: sssd.conf.5.xml:1948
 2439 msgid "Default: 180"
 2440 msgstr ""
 2441 
 2442 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2443 #: sssd.conf.5.xml:1953
 2444 msgid "ssh_use_certificate_keys (bool)"
 2445 msgstr ""
 2446 
 2447 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2448 #: sssd.conf.5.xml:1956
 2449 msgid ""
 2450 "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh "
 2451 "keys derived from the public key of X.509 certificates stored in the user "
 2452 "entry as well. See <citerefentry> "
 2453 "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> "
 2454 "<manvolnum>1</manvolnum> </citerefentry> for details."
 2455 msgstr ""
 2456 
 2457 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2458 #: sssd.conf.5.xml:1971
 2459 msgid "ssh_use_certificate_matching_rules (string)"
 2460 msgstr ""
 2461 
 2462 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2463 #: sssd.conf.5.xml:1974
 2464 msgid ""
 2465 "By default the ssh responder will use all available certificate matching "
 2466 "rules to filter the certificates so that ssh keys are only derived from the "
 2467 "matching ones. With this option the used rules can be restricted with a "
 2468 "comma separated list of mapping and matching rule names. All other rules "
 2469 "will be ignored."
 2470 msgstr ""
 2471 
 2472 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2473 #: sssd.conf.5.xml:1983
 2474 msgid ""
 2475 "There are two special key words 'all_rules' and 'no_rules' which will enable "
 2476 "all or no rules, respectively. The latter means that no certificates will be "
 2477 "filtered out and ssh keys will be generated from all valid certificates."
 2478 msgstr ""
 2479 
 2480 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2481 #: sssd.conf.5.xml:1990
 2482 msgid ""
 2483 "If no rules are configured using 'all_rules' will enable a default rule "
 2484 "which enables all certificates suitable for client authentication.  This is "
 2485 "the same behavior as for the PAM responder if certificate authentication is "
 2486 "enabled."
 2487 msgstr ""
 2488 
 2489 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2490 #: sssd.conf.5.xml:1997
 2491 msgid ""
 2492 "A non-existing rule name is considered an error.  If as a result no rule is "
 2493 "selected all certificates will be ignored."
 2494 msgstr ""
 2495 
 2496 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2497 #: sssd.conf.5.xml:2002
 2498 msgid ""
 2499 "Default: not set, equivalent to 'all_rules', all found rules or the default "
 2500 "rule are used"
 2501 msgstr ""
 2502 
 2503 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2504 #: sssd.conf.5.xml:2008
 2505 msgid "ca_db (string)"
 2506 msgstr ""
 2507 
 2508 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2509 #: sssd.conf.5.xml:2011
 2510 msgid ""
 2511 "Path to a storage of trusted CA certificates. The option is used to validate "
 2512 "user certificates before deriving public ssh keys from them."
 2513 msgstr ""
 2514 
 2515 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 2516 #: sssd.conf.5.xml:2031
 2517 msgid "PAC responder configuration options"
 2518 msgstr ""
 2519 
 2520 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 2521 #: sssd.conf.5.xml:2033
 2522 msgid ""
 2523 "The PAC responder works together with the authorization data plugin for MIT "
 2524 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
 2525 "PAC data during a GSSAPI authentication to the PAC responder. The sub-domain "
 2526 "provider collects domain SID and ID ranges of the domain the client is "
 2527 "joined to and of remote trusted domains from the local domain controller. If "
 2528 "the PAC is decoded and evaluated some of the following operations are done:"
 2529 msgstr ""
 2530 
 2531 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 2532 #: sssd.conf.5.xml:2042
 2533 msgid ""
 2534 "If the remote user does not exist in the cache, it is created. The UID is "
 2535 "determined with the help of the SID, trusted domains will have UPGs and the "
 2536 "GID will have the same value as the UID. The home directory is set based on "
 2537 "the subdomain_homedir parameter. The shell will be empty by default, "
 2538 "i.e. the system defaults are used, but can be overwritten with the "
 2539 "default_shell parameter."
 2540 msgstr ""
 2541 
 2542 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 2543 #: sssd.conf.5.xml:2050
 2544 msgid ""
 2545 "If there are SIDs of groups from domains sssd knows about, the user will be "
 2546 "added to those groups."
 2547 msgstr ""
 2548 
 2549 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 2550 #: sssd.conf.5.xml:2056
 2551 msgid "These options can be used to configure the PAC responder."
 2552 msgstr ""
 2553 
 2554 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 2555 #: sssd.conf.5.xml:2060 sssd-ifp.5.xml:50
 2556 msgid "allowed_uids (string)"
 2557 msgstr ""
 2558 
 2559 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2560 #: sssd.conf.5.xml:2063
 2561 msgid ""
 2562 "Specifies the comma-separated list of UID values or user names that are "
 2563 "allowed to access the PAC responder. User names are resolved to UIDs at "
 2564 "startup."
 2565 msgstr ""
 2566 
 2567 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2568 #: sssd.conf.5.xml:2069
 2569 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 2570 msgstr ""
 2571 
 2572 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2573 #: sssd.conf.5.xml:2073
 2574 msgid ""
 2575 "Please note that although the UID 0 is used as the default it will be "
 2576 "overwritten with this option. If you still want to allow the root user to "
 2577 "access the PAC responder, which would be the typical case, you have to add 0 "
 2578 "to the list of allowed UIDs as well."
 2579 msgstr ""
 2580 
 2581 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 2582 #: sssd.conf.5.xml:2082
 2583 msgid "pac_lifetime (integer)"
 2584 msgstr ""
 2585 
 2586 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 2587 #: sssd.conf.5.xml:2085
 2588 msgid ""
 2589 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 2590 "data can be used to determine the group memberships of a user."
 2591 msgstr ""
 2592 
 2593 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 2594 #: sssd.conf.5.xml:2098
 2595 msgid "Session recording configuration options"
 2596 msgstr ""
 2597 
 2598 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 2599 #: sssd.conf.5.xml:2100
 2600 msgid ""
 2601 "Session recording works in conjunction with <citerefentry> "
 2602 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> "
 2603 "</citerefentry>, a part of tlog package, to log what users see and type when "
 2604 "they log in on a text terminal.  See also <citerefentry> "
 2605 "<refentrytitle>sssd-session-recording</refentrytitle> "
 2606 "<manvolnum>5</manvolnum> </citerefentry>."
 2607 msgstr ""
 2608 
 2609 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 2610 #: sssd.conf.5.xml:2113
 2611 msgid "These options can be used to configure session recording."
 2612 msgstr ""
 2613 
 2614 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 2615 #: sssd.conf.5.xml:2117 sssd-session-recording.5.xml:64
 2616 msgid "scope (string)"
 2617 msgstr ""
 2618 
 2619 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 2620 #: sssd.conf.5.xml:2124 sssd-session-recording.5.xml:71
 2621 msgid "\"none\""
 2622 msgstr ""
 2623 
 2624 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 2625 #: sssd.conf.5.xml:2127 sssd-session-recording.5.xml:74
 2626 msgid "No users are recorded."
 2627 msgstr ""
 2628 
 2629 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 2630 #: sssd.conf.5.xml:2132 sssd-session-recording.5.xml:79
 2631 msgid "\"some\""
 2632 msgstr ""
 2633 
 2634 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 2635 #: sssd.conf.5.xml:2135 sssd-session-recording.5.xml:82
 2636 msgid ""
 2637 "Users/groups specified by <replaceable>users</replaceable> and "
 2638 "<replaceable>groups</replaceable> options are recorded."
 2639 msgstr ""
 2640 
 2641 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 2642 #: sssd.conf.5.xml:2144 sssd-session-recording.5.xml:91
 2643 msgid "\"all\""
 2644 msgstr ""
 2645 
 2646 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 2647 #: sssd.conf.5.xml:2147 sssd-session-recording.5.xml:94
 2648 msgid "All users are recorded."
 2649 msgstr ""
 2650 
 2651 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2652 #: sssd.conf.5.xml:2120 sssd-session-recording.5.xml:67
 2653 msgid ""
 2654 "One of the following strings specifying the scope of session recording: "
 2655 "<placeholder type=\"variablelist\" id=\"0\"/>"
 2656 msgstr ""
 2657 
 2658 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2659 #: sssd.conf.5.xml:2154 sssd-session-recording.5.xml:101
 2660 msgid "Default: \"none\""
 2661 msgstr ""
 2662 
 2663 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 2664 #: sssd.conf.5.xml:2159 sssd-session-recording.5.xml:106
 2665 msgid "users (string)"
 2666 msgstr ""
 2667 
 2668 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2669 #: sssd.conf.5.xml:2162 sssd-session-recording.5.xml:109
 2670 msgid ""
 2671 "A comma-separated list of users which should have session recording "
 2672 "enabled. Matches user names as returned by NSS. I.e. after the possible "
 2673 "space replacement, case changes, etc."
 2674 msgstr ""
 2675 
 2676 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2677 #: sssd.conf.5.xml:2168 sssd-session-recording.5.xml:115
 2678 msgid "Default: Empty. Matches no users."
 2679 msgstr ""
 2680 
 2681 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 2682 #: sssd.conf.5.xml:2173 sssd-session-recording.5.xml:120
 2683 msgid "groups (string)"
 2684 msgstr ""
 2685 
 2686 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2687 #: sssd.conf.5.xml:2176 sssd-session-recording.5.xml:123
 2688 msgid ""
 2689 "A comma-separated list of groups, members of which should have session "
 2690 "recording enabled. Matches group names as returned by NSS. I.e. after the "
 2691 "possible space replacement, case changes, etc."
 2692 msgstr ""
 2693 
 2694 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2695 #: sssd.conf.5.xml:2182 sssd.conf.5.xml:2214 sssd-session-recording.5.xml:129
 2696 #: sssd-session-recording.5.xml:161
 2697 msgid ""
 2698 "NOTE: using this option (having it set to anything) has a considerable "
 2699 "performance cost, because each uncached request for a user requires "
 2700 "retrieving and matching the groups the user is member of."
 2701 msgstr ""
 2702 
 2703 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2704 #: sssd.conf.5.xml:2189 sssd-session-recording.5.xml:136
 2705 msgid "Default: Empty. Matches no groups."
 2706 msgstr ""
 2707 
 2708 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 2709 #: sssd.conf.5.xml:2194 sssd-session-recording.5.xml:141
 2710 msgid "exclude_users (string)"
 2711 msgstr ""
 2712 
 2713 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2714 #: sssd.conf.5.xml:2197 sssd-session-recording.5.xml:144
 2715 msgid ""
 2716 "A comma-separated list of users to be excluded from recording, only "
 2717 "applicable with 'scope=all'."
 2718 msgstr ""
 2719 
 2720 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2721 #: sssd.conf.5.xml:2201 sssd-session-recording.5.xml:148
 2722 msgid "Default: Empty. No users excluded."
 2723 msgstr ""
 2724 
 2725 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 2726 #: sssd.conf.5.xml:2206 sssd-session-recording.5.xml:153
 2727 msgid "exclude_groups (string)"
 2728 msgstr ""
 2729 
 2730 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2731 #: sssd.conf.5.xml:2209 sssd-session-recording.5.xml:156
 2732 msgid ""
 2733 "A comma-separated list of groups, members of which should be excluded from "
 2734 "recording. Only applicable with 'scope=all'."
 2735 msgstr ""
 2736 
 2737 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 2738 #: sssd.conf.5.xml:2221 sssd-session-recording.5.xml:168
 2739 msgid "Default: Empty. No groups excluded."
 2740 msgstr ""
 2741 
 2742 #. type: Content of: <reference><refentry><refsect1><title>
 2743 #: sssd.conf.5.xml:2231
 2744 msgid "DOMAIN SECTIONS"
 2745 msgstr ""
 2746 
 2747 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 2748 #: sssd.conf.5.xml:2238
 2749 msgid "enabled"
 2750 msgstr ""
 2751 
 2752 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2753 #: sssd.conf.5.xml:2241
 2754 msgid ""
 2755 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 2756 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
 2757 "always <quote>disabled</quote>. If this option is not set, the domain is "
 2758 "enabled only if it is listed in the domains option in the "
 2759 "<quote>[sssd]</quote> section."
 2760 msgstr ""
 2761 
 2762 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 2763 #: sssd.conf.5.xml:2253
 2764 msgid "domain_type (string)"
 2765 msgstr ""
 2766 
 2767 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2768 #: sssd.conf.5.xml:2256
 2769 msgid ""
 2770 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 2771 "as the Name Service Switch or by applications that do not need POSIX data to "
 2772 "be present or generated. Only objects from POSIX domains are available to "
 2773 "the operating system interfaces and utilities."
 2774 msgstr ""
 2775 
 2776 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2777 #: sssd.conf.5.xml:2264
 2778 msgid ""
 2779 "Allowed values for this option are <quote>posix</quote> and "
 2780 "<quote>application</quote>."
 2781 msgstr ""
 2782 
 2783 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2784 #: sssd.conf.5.xml:2268
 2785 msgid ""
 2786 "POSIX domains are reachable by all services. Application domains are only "
 2787 "reachable from the InfoPipe responder (see <citerefentry> "
 2788 "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> "
 2789 "</citerefentry>) and the PAM responder."
 2790 msgstr ""
 2791 
 2792 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2793 #: sssd.conf.5.xml:2276
 2794 msgid ""
 2795 "NOTE: The application domains are currently well tested with "
 2796 "<quote>id_provider=ldap</quote> only."
 2797 msgstr ""
 2798 
 2799 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2800 #: sssd.conf.5.xml:2280
 2801 msgid ""
 2802 "For an easy way to configure a non-POSIX domains, please see the "
 2803 "<quote>Application domains</quote> section."
 2804 msgstr ""
 2805 
 2806 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2807 #: sssd.conf.5.xml:2284
 2808 msgid "Default: posix"
 2809 msgstr ""
 2810 
 2811 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 2812 #: sssd.conf.5.xml:2290
 2813 msgid "min_id,max_id (integer)"
 2814 msgstr ""
 2815 
 2816 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2817 #: sssd.conf.5.xml:2293
 2818 msgid ""
 2819 "UID and GID limits for the domain. If a domain contains an entry that is "
 2820 "outside these limits, it is ignored."
 2821 msgstr ""
 2822 
 2823 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2824 #: sssd.conf.5.xml:2298
 2825 msgid ""
 2826 "For users, this affects the primary GID limit. The user will not be returned "
 2827 "to NSS if either the UID or the primary GID is outside the range. For "
 2828 "non-primary group memberships, those that are in range will be reported as "
 2829 "expected."
 2830 msgstr ""
 2831 
 2832 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2833 #: sssd.conf.5.xml:2305
 2834 msgid ""
 2835 "These ID limits affect even saving entries to cache, not only returning them "
 2836 "by name or ID."
 2837 msgstr ""
 2838 
 2839 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2840 #: sssd.conf.5.xml:2309
 2841 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 2842 msgstr ""
 2843 
 2844 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 2845 #: sssd.conf.5.xml:2315
 2846 msgid "enumerate (bool)"
 2847 msgstr ""
 2848 
 2849 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2850 #: sssd.conf.5.xml:2318
 2851 msgid ""
 2852 "Determines if a domain can be enumerated, that is, whether the domain can "
 2853 "list all the users and group it contains. Note that it is not required to "
 2854 "enable enumeration in order for secondary groups to be displayed. This "
 2855 "parameter can have one of the following values:"
 2856 msgstr ""
 2857 
 2858 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2859 #: sssd.conf.5.xml:2326
 2860 msgid "TRUE = Users and groups are enumerated"
 2861 msgstr ""
 2862 
 2863 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2864 #: sssd.conf.5.xml:2329
 2865 msgid "FALSE = No enumerations for this domain"
 2866 msgstr ""
 2867 
 2868 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2869 #: sssd.conf.5.xml:2332 sssd.conf.5.xml:2602 sssd.conf.5.xml:2778
 2870 msgid "Default: FALSE"
 2871 msgstr ""
 2872 
 2873 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2874 #: sssd.conf.5.xml:2335
 2875 msgid ""
 2876 "Enumerating a domain requires SSSD to download and store ALL user and group "
 2877 "entries from the remote server."
 2878 msgstr ""
 2879 
 2880 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2881 #: sssd.conf.5.xml:2340
 2882 msgid ""
 2883 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 2884 "enumeration is running. It may take up to several minutes after SSSD startup "
 2885 "to fully complete enumerations.  During this time, individual requests for "
 2886 "information will go directly to LDAP, though it may be slow, due to the "
 2887 "heavy enumeration processing. Saving a large number of entries to cache "
 2888 "after the enumeration completes might also be CPU intensive as the "
 2889 "memberships have to be recomputed. This can lead to the "
 2890 "<quote>sssd_be</quote> process becoming unresponsive or even restarted by "
 2891 "the internal watchdog."
 2892 msgstr ""
 2893 
 2894 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2895 #: sssd.conf.5.xml:2355
 2896 msgid ""
 2897 "While the first enumeration is running, requests for the complete user or "
 2898 "group lists may return no results until it completes."
 2899 msgstr ""
 2900 
 2901 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2902 #: sssd.conf.5.xml:2360
 2903 msgid ""
 2904 "Further, enabling enumeration may increase the time necessary to detect "
 2905 "network disconnection, as longer timeouts are required to ensure that "
 2906 "enumeration lookups are completed successfully.  For more information, refer "
 2907 "to the man pages for the specific id_provider in use."
 2908 msgstr ""
 2909 
 2910 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2911 #: sssd.conf.5.xml:2368
 2912 msgid ""
 2913 "For the reasons cited above, enabling enumeration is not recommended, "
 2914 "especially in large environments."
 2915 msgstr ""
 2916 
 2917 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 2918 #: sssd.conf.5.xml:2376
 2919 msgid "subdomain_enumerate (string)"
 2920 msgstr ""
 2921 
 2922 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 2923 #: sssd.conf.5.xml:2383
 2924 msgid "all"
 2925 msgstr ""
 2926 
 2927 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 2928 #: sssd.conf.5.xml:2384
 2929 msgid "All discovered trusted domains will be enumerated"
 2930 msgstr ""
 2931 
 2932 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 2933 #: sssd.conf.5.xml:2387
 2934 msgid "none"
 2935 msgstr ""
 2936 
 2937 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 2938 #: sssd.conf.5.xml:2388
 2939 msgid "No discovered trusted domains will be enumerated"
 2940 msgstr ""
 2941 
 2942 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2943 #: sssd.conf.5.xml:2379
 2944 msgid ""
 2945 "Whether any of autodetected trusted domains should be enumerated. The "
 2946 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
 2947 "Optionally, a list of one or more domain names can enable enumeration just "
 2948 "for these trusted domains."
 2949 msgstr ""
 2950 
 2951 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 2952 #: sssd.conf.5.xml:2402
 2953 msgid "entry_cache_timeout (integer)"
 2954 msgstr ""
 2955 
 2956 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2957 #: sssd.conf.5.xml:2405
 2958 msgid ""
 2959 "How many seconds should nss_sss consider entries valid before asking the "
 2960 "backend again"
 2961 msgstr ""
 2962 
 2963 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2964 #: sssd.conf.5.xml:2409
 2965 msgid ""
 2966 "The cache expiration timestamps are stored as attributes of individual "
 2967 "objects in the cache. Therefore, changing the cache timeout only has effect "
 2968 "for newly added or expired entries.  You should run the <citerefentry> "
 2969 "<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> "
 2970 "</citerefentry> tool in order to force refresh of entries that have already "
 2971 "been cached."
 2972 msgstr ""
 2973 
 2974 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2975 #: sssd.conf.5.xml:2422
 2976 msgid "Default: 5400"
 2977 msgstr ""
 2978 
 2979 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 2980 #: sssd.conf.5.xml:2428
 2981 msgid "entry_cache_user_timeout (integer)"
 2982 msgstr ""
 2983 
 2984 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2985 #: sssd.conf.5.xml:2431
 2986 msgid ""
 2987 "How many seconds should nss_sss consider user entries valid before asking "
 2988 "the backend again"
 2989 msgstr ""
 2990 
 2991 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 2992 #: sssd.conf.5.xml:2435 sssd.conf.5.xml:2448 sssd.conf.5.xml:2461
 2993 #: sssd.conf.5.xml:2474 sssd.conf.5.xml:2488 sssd.conf.5.xml:2501
 2994 #: sssd.conf.5.xml:2515 sssd.conf.5.xml:2529 sssd.conf.5.xml:2542
 2995 msgid "Default: entry_cache_timeout"
 2996 msgstr ""
 2997 
 2998 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 2999 #: sssd.conf.5.xml:2441
 3000 msgid "entry_cache_group_timeout (integer)"
 3001 msgstr ""
 3002 
 3003 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3004 #: sssd.conf.5.xml:2444
 3005 msgid ""
 3006 "How many seconds should nss_sss consider group entries valid before asking "
 3007 "the backend again"
 3008 msgstr ""
 3009 
 3010 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3011 #: sssd.conf.5.xml:2454
 3012 msgid "entry_cache_netgroup_timeout (integer)"
 3013 msgstr ""
 3014 
 3015 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3016 #: sssd.conf.5.xml:2457
 3017 msgid ""
 3018 "How many seconds should nss_sss consider netgroup entries valid before "
 3019 "asking the backend again"
 3020 msgstr ""
 3021 
 3022 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3023 #: sssd.conf.5.xml:2467
 3024 msgid "entry_cache_service_timeout (integer)"
 3025 msgstr ""
 3026 
 3027 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3028 #: sssd.conf.5.xml:2470
 3029 msgid ""
 3030 "How many seconds should nss_sss consider service entries valid before asking "
 3031 "the backend again"
 3032 msgstr ""
 3033 
 3034 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3035 #: sssd.conf.5.xml:2480
 3036 msgid "entry_cache_resolver_timeout (integer)"
 3037 msgstr ""
 3038 
 3039 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3040 #: sssd.conf.5.xml:2483
 3041 msgid ""
 3042 "How many seconds should nss_sss consider hosts and networks entries valid "
 3043 "before asking the backend again"
 3044 msgstr ""
 3045 
 3046 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3047 #: sssd.conf.5.xml:2494
 3048 msgid "entry_cache_sudo_timeout (integer)"
 3049 msgstr ""
 3050 
 3051 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3052 #: sssd.conf.5.xml:2497
 3053 msgid ""
 3054 "How many seconds should sudo consider rules valid before asking the backend "
 3055 "again"
 3056 msgstr ""
 3057 
 3058 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3059 #: sssd.conf.5.xml:2507
 3060 msgid "entry_cache_autofs_timeout (integer)"
 3061 msgstr ""
 3062 
 3063 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3064 #: sssd.conf.5.xml:2510
 3065 msgid ""
 3066 "How many seconds should the autofs service consider automounter maps valid "
 3067 "before asking the backend again"
 3068 msgstr ""
 3069 
 3070 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3071 #: sssd.conf.5.xml:2521
 3072 msgid "entry_cache_ssh_host_timeout (integer)"
 3073 msgstr ""
 3074 
 3075 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3076 #: sssd.conf.5.xml:2524
 3077 msgid ""
 3078 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 3079 "the host key for."
 3080 msgstr ""
 3081 
 3082 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3083 #: sssd.conf.5.xml:2535
 3084 msgid "entry_cache_computer_timeout (integer)"
 3085 msgstr ""
 3086 
 3087 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3088 #: sssd.conf.5.xml:2538
 3089 msgid ""
 3090 "How many seconds to keep the local computer entry before asking the backend "
 3091 "again"
 3092 msgstr ""
 3093 
 3094 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3095 #: sssd.conf.5.xml:2548
 3096 msgid "refresh_expired_interval (integer)"
 3097 msgstr ""
 3098 
 3099 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3100 #: sssd.conf.5.xml:2551
 3101 msgid ""
 3102 "Specifies how many seconds SSSD has to wait before triggering a background "
 3103 "refresh task which will refresh all expired or nearly expired records."
 3104 msgstr ""
 3105 
 3106 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3107 #: sssd.conf.5.xml:2556
 3108 msgid ""
 3109 "The background refresh will process users, groups and netgroups in the "
 3110 "cache. For users who have performed the initgroups (get group membership for "
 3111 "user, typically ran at login)  operation in the past, both the user entry "
 3112 "and the group membership are updated."
 3113 msgstr ""
 3114 
 3115 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3116 #: sssd.conf.5.xml:2564
 3117 msgid "This option is automatically inherited for all trusted domains."
 3118 msgstr ""
 3119 
 3120 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3121 #: sssd.conf.5.xml:2568
 3122 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 3123 msgstr ""
 3124 
 3125 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3126 #: sssd.conf.5.xml:2572
 3127 msgid ""
 3128 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 3129 "has already passed.  If there are existing cached entries, the background "
 3130 "task will refer to their original cache timeout values instead of current "
 3131 "configuration value.  This may lead to a situation in which background "
 3132 "refresh task appears to not be working. This is done by design to improve "
 3133 "offline mode operation and reuse of existing valid cache entries.  To make "
 3134 "this change instant the user may want to manually invalidate existing cache."
 3135 msgstr ""
 3136 
 3137 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3138 #: sssd.conf.5.xml:2585 sssd-ldap.5.xml:350 sssd-ipa.5.xml:269
 3139 msgid "Default: 0 (disabled)"
 3140 msgstr ""
 3141 
 3142 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3143 #: sssd.conf.5.xml:2591
 3144 msgid "cache_credentials (bool)"
 3145 msgstr ""
 3146 
 3147 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3148 #: sssd.conf.5.xml:2594
 3149 msgid "Determines if user credentials are also cached in the local LDB cache"
 3150 msgstr ""
 3151 
 3152 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3153 #: sssd.conf.5.xml:2598
 3154 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 3155 msgstr ""
 3156 
 3157 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3158 #: sssd.conf.5.xml:2608
 3159 msgid "cache_credentials_minimal_first_factor_length (int)"
 3160 msgstr ""
 3161 
 3162 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3163 #: sssd.conf.5.xml:2611
 3164 msgid ""
 3165 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 3166 "this value determines the minimal length the first authentication factor "
 3167 "(long term password) must have to be saved as SHA512 hash into the cache."
 3168 msgstr ""
 3169 
 3170 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3171 #: sssd.conf.5.xml:2618
 3172 msgid ""
 3173 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 3174 "the cache which would make them easy targets for brute-force attacks."
 3175 msgstr ""
 3176 
 3177 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3178 #: sssd.conf.5.xml:2629
 3179 msgid "account_cache_expiration (integer)"
 3180 msgstr ""
 3181 
 3182 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3183 #: sssd.conf.5.xml:2632
 3184 msgid ""
 3185 "Number of days entries are left in cache after last successful login before "
 3186 "being removed during a cleanup of the cache. 0 means keep forever.  The "
 3187 "value of this parameter must be greater than or equal to "
 3188 "offline_credentials_expiration."
 3189 msgstr ""
 3190 
 3191 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3192 #: sssd.conf.5.xml:2639
 3193 msgid "Default: 0 (unlimited)"
 3194 msgstr ""
 3195 
 3196 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3197 #: sssd.conf.5.xml:2644
 3198 msgid "pwd_expiration_warning (integer)"
 3199 msgstr ""
 3200 
 3201 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3202 #: sssd.conf.5.xml:2655
 3203 msgid ""
 3204 "Please note that the backend server has to provide information about the "
 3205 "expiration time of the password.  If this information is missing, sssd "
 3206 "cannot display a warning. Also an auth provider has to be configured for the "
 3207 "backend."
 3208 msgstr ""
 3209 
 3210 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3211 #: sssd.conf.5.xml:2662
 3212 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 3213 msgstr ""
 3214 
 3215 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3216 #: sssd.conf.5.xml:2668
 3217 msgid "id_provider (string)"
 3218 msgstr ""
 3219 
 3220 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3221 #: sssd.conf.5.xml:2671
 3222 msgid ""
 3223 "The identification provider used for the domain.  Supported ID providers "
 3224 "are:"
 3225 msgstr ""
 3226 
 3227 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3228 #: sssd.conf.5.xml:2675
 3229 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 3230 msgstr ""
 3231 
 3232 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3233 #: sssd.conf.5.xml:2678
 3234 msgid "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
 3235 msgstr ""
 3236 
 3237 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3238 #: sssd.conf.5.xml:2682
 3239 msgid ""
 3240 "<quote>files</quote>: FILES provider. See <citerefentry> "
 3241 "<refentrytitle>sssd-files</refentrytitle> <manvolnum>5</manvolnum> "
 3242 "</citerefentry> for more information on how to mirror local users and groups "
 3243 "into SSSD."
 3244 msgstr ""
 3245 
 3246 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3247 #: sssd.conf.5.xml:2690
 3248 msgid ""
 3249 "<quote>ldap</quote>: LDAP provider. See <citerefentry> "
 3250 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
 3251 "</citerefentry> for more information on configuring LDAP."
 3252 msgstr ""
 3253 
 3254 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3255 #: sssd.conf.5.xml:2698 sssd.conf.5.xml:2804 sssd.conf.5.xml:2859
 3256 #: sssd.conf.5.xml:2922
 3257 msgid ""
 3258 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 3259 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
 3260 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 3261 "FreeIPA."
 3262 msgstr ""
 3263 
 3264 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3265 #: sssd.conf.5.xml:2707 sssd.conf.5.xml:2813 sssd.conf.5.xml:2868
 3266 #: sssd.conf.5.xml:2931
 3267 msgid ""
 3268 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 3269 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
 3270 "</citerefentry> for more information on configuring Active Directory."
 3271 msgstr ""
 3272 
 3273 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3274 #: sssd.conf.5.xml:2718
 3275 msgid "use_fully_qualified_names (bool)"
 3276 msgstr ""
 3277 
 3278 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3279 #: sssd.conf.5.xml:2721
 3280 msgid ""
 3281 "Use the full name and domain (as formatted by the domain's full_name_format) "
 3282 "as the user's login name reported to NSS."
 3283 msgstr ""
 3284 
 3285 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3286 #: sssd.conf.5.xml:2726
 3287 msgid ""
 3288 "If set to TRUE, all requests to this domain must use fully qualified "
 3289 "names. For example, if used in LOCAL domain that contains a \"test\" user, "
 3290 "<command>getent passwd test</command> wouldn't find the user while "
 3291 "<command>getent passwd test@LOCAL</command> would."
 3292 msgstr ""
 3293 
 3294 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3295 #: sssd.conf.5.xml:2734
 3296 msgid ""
 3297 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 3298 "include nested netgroups without qualified names. For netgroups, all domains "
 3299 "will be searched when an unqualified name is requested."
 3300 msgstr ""
 3301 
 3302 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3303 #: sssd.conf.5.xml:2741
 3304 msgid ""
 3305 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 3306 "default_domain_suffix is used)"
 3307 msgstr ""
 3308 
 3309 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3310 #: sssd.conf.5.xml:2748
 3311 msgid "ignore_group_members (bool)"
 3312 msgstr ""
 3313 
 3314 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3315 #: sssd.conf.5.xml:2751
 3316 msgid "Do not return group members for group lookups."
 3317 msgstr ""
 3318 
 3319 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3320 #: sssd.conf.5.xml:2754
 3321 msgid ""
 3322 "If set to TRUE, the group membership attribute is not requested from the "
 3323 "ldap server, and group members are not returned when processing group lookup "
 3324 "calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> "
 3325 "<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> "
 3326 "<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> "
 3327 "</citerefentry>.  As an effect, <quote>getent group $groupname</quote> would "
 3328 "return the requested group as if it was empty."
 3329 msgstr ""
 3330 
 3331 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3332 #: sssd.conf.5.xml:2772
 3333 msgid ""
 3334 "Enabling this option can also make access provider checks for group "
 3335 "membership significantly faster, especially for groups containing many "
 3336 "members."
 3337 msgstr ""
 3338 
 3339 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3340 #: sssd.conf.5.xml:2783
 3341 msgid "auth_provider (string)"
 3342 msgstr ""
 3343 
 3344 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3345 #: sssd.conf.5.xml:2786
 3346 msgid ""
 3347 "The authentication provider used for the domain.  Supported auth providers "
 3348 "are:"
 3349 msgstr ""
 3350 
 3351 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3352 #: sssd.conf.5.xml:2790 sssd.conf.5.xml:2852
 3353 msgid ""
 3354 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 3355 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
 3356 "</citerefentry> for more information on configuring LDAP."
 3357 msgstr ""
 3358 
 3359 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3360 #: sssd.conf.5.xml:2797
 3361 msgid ""
 3362 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 3363 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
 3364 "</citerefentry> for more information on configuring Kerberos."
 3365 msgstr ""
 3366 
 3367 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3368 #: sssd.conf.5.xml:2821
 3369 msgid "<quote>proxy</quote> for relaying authentication to some other PAM target."
 3370 msgstr ""
 3371 
 3372 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3373 #: sssd.conf.5.xml:2824
 3374 msgid "<quote>local</quote>: SSSD internal provider for local users"
 3375 msgstr ""
 3376 
 3377 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3378 #: sssd.conf.5.xml:2828
 3379 msgid "<quote>none</quote> disables authentication explicitly."
 3380 msgstr ""
 3381 
 3382 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3383 #: sssd.conf.5.xml:2831
 3384 msgid ""
 3385 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 3386 "authentication requests."
 3387 msgstr ""
 3388 
 3389 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3390 #: sssd.conf.5.xml:2837
 3391 msgid "access_provider (string)"
 3392 msgstr ""
 3393 
 3394 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3395 #: sssd.conf.5.xml:2840
 3396 msgid ""
 3397 "The access control provider used for the domain.  There are two built-in "
 3398 "access providers (in addition to any included in installed backends)  "
 3399 "Internal special providers are:"
 3400 msgstr ""
 3401 
 3402 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3403 #: sssd.conf.5.xml:2846
 3404 msgid ""
 3405 "<quote>permit</quote> always allow access. It's the only permitted access "
 3406 "provider for a local domain."
 3407 msgstr ""
 3408 
 3409 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3410 #: sssd.conf.5.xml:2849
 3411 msgid "<quote>deny</quote> always deny access."
 3412 msgstr ""
 3413 
 3414 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3415 #: sssd.conf.5.xml:2876
 3416 msgid ""
 3417 "<quote>simple</quote> access control based on access or deny lists. See "
 3418 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> "
 3419 "<manvolnum>5</manvolnum></citerefentry> for more information on configuring "
 3420 "the simple access module."
 3421 msgstr ""
 3422 
 3423 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3424 #: sssd.conf.5.xml:2883
 3425 msgid ""
 3426 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 3427 "<refentrytitle>sssd-krb5</refentrytitle> "
 3428 "<manvolnum>5</manvolnum></citerefentry> for more information on configuring "
 3429 "Kerberos."
 3430 msgstr ""
 3431 
 3432 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3433 #: sssd.conf.5.xml:2890
 3434 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 3435 msgstr ""
 3436 
 3437 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3438 #: sssd.conf.5.xml:2893
 3439 msgid "Default: <quote>permit</quote>"
 3440 msgstr ""
 3441 
 3442 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3443 #: sssd.conf.5.xml:2898
 3444 msgid "chpass_provider (string)"
 3445 msgstr ""
 3446 
 3447 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3448 #: sssd.conf.5.xml:2901
 3449 msgid ""
 3450 "The provider which should handle change password operations for the domain.  "
 3451 "Supported change password providers are:"
 3452 msgstr ""
 3453 
 3454 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3455 #: sssd.conf.5.xml:2906
 3456 msgid ""
 3457 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 3458 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
 3459 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 3460 "LDAP."
 3461 msgstr ""
 3462 
 3463 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3464 #: sssd.conf.5.xml:2914
 3465 msgid ""
 3466 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 3467 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
 3468 "</citerefentry> for more information on configuring Kerberos."
 3469 msgstr ""
 3470 
 3471 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3472 #: sssd.conf.5.xml:2939
 3473 msgid "<quote>proxy</quote> for relaying password changes to some other PAM target."
 3474 msgstr ""
 3475 
 3476 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3477 #: sssd.conf.5.xml:2943
 3478 msgid "<quote>none</quote> disallows password changes explicitly."
 3479 msgstr ""
 3480 
 3481 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3482 #: sssd.conf.5.xml:2946
 3483 msgid ""
 3484 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 3485 "change password requests."
 3486 msgstr ""
 3487 
 3488 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3489 #: sssd.conf.5.xml:2953
 3490 msgid "sudo_provider (string)"
 3491 msgstr ""
 3492 
 3493 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3494 #: sssd.conf.5.xml:2956
 3495 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 3496 msgstr ""
 3497 
 3498 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3499 #: sssd.conf.5.xml:2960
 3500 msgid ""
 3501 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 3502 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
 3503 "</citerefentry> for more information on configuring LDAP."
 3504 msgstr ""
 3505 
 3506 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3507 #: sssd.conf.5.xml:2968
 3508 msgid ""
 3509 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 3510 "settings."
 3511 msgstr ""
 3512 
 3513 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3514 #: sssd.conf.5.xml:2972
 3515 msgid ""
 3516 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 3517 "settings."
 3518 msgstr ""
 3519 
 3520 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3521 #: sssd.conf.5.xml:2976
 3522 msgid "<quote>none</quote> disables SUDO explicitly."
 3523 msgstr ""
 3524 
 3525 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3526 #: sssd.conf.5.xml:2979 sssd.conf.5.xml:3065 sssd.conf.5.xml:3135
 3527 #: sssd.conf.5.xml:3160 sssd.conf.5.xml:3196
 3528 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 3529 msgstr ""
 3530 
 3531 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3532 #: sssd.conf.5.xml:2983
 3533 msgid ""
 3534 "The detailed instructions for configuration of sudo_provider are in the "
 3535 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
 3536 "<manvolnum>5</manvolnum> </citerefentry>.  There are many configuration "
 3537 "options that can be used to adjust the behavior. Please refer to "
 3538 "\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
 3539 "<manvolnum>5</manvolnum> </citerefentry>."
 3540 msgstr ""
 3541 
 3542 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3543 #: sssd.conf.5.xml:2998
 3544 msgid ""
 3545 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 3546 "background unless the sudo provider is explicitly disabled. Set "
 3547 "<emphasis>sudo_provider = None</emphasis> to disable all sudo-related "
 3548 "activity in SSSD if you do not want to use sudo with SSSD at all."
 3549 msgstr ""
 3550 
 3551 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3552 #: sssd.conf.5.xml:3008
 3553 msgid "selinux_provider (string)"
 3554 msgstr ""
 3555 
 3556 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3557 #: sssd.conf.5.xml:3011
 3558 msgid ""
 3559 "The provider which should handle loading of selinux settings. Note that this "
 3560 "provider will be called right after access provider ends.  Supported selinux "
 3561 "providers are:"
 3562 msgstr ""
 3563 
 3564 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3565 #: sssd.conf.5.xml:3017
 3566 msgid ""
 3567 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 3568 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
 3569 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 3570 "IPA."
 3571 msgstr ""
 3572 
 3573 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3574 #: sssd.conf.5.xml:3025
 3575 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 3576 msgstr ""
 3577 
 3578 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3579 #: sssd.conf.5.xml:3028
 3580 msgid ""
 3581 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 3582 "selinux loading requests."
 3583 msgstr ""
 3584 
 3585 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3586 #: sssd.conf.5.xml:3034
 3587 msgid "subdomains_provider (string)"
 3588 msgstr ""
 3589 
 3590 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3591 #: sssd.conf.5.xml:3037
 3592 msgid ""
 3593 "The provider which should handle fetching of subdomains. This value should "
 3594 "be always the same as id_provider.  Supported subdomain providers are:"
 3595 msgstr ""
 3596 
 3597 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3598 #: sssd.conf.5.xml:3043
 3599 msgid ""
 3600 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 3601 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
 3602 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 3603 "IPA."
 3604 msgstr ""
 3605 
 3606 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3607 #: sssd.conf.5.xml:3052
 3608 msgid ""
 3609 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 3610 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
 3611 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 3612 "the AD provider."
 3613 msgstr ""
 3614 
 3615 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3616 #: sssd.conf.5.xml:3061
 3617 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 3618 msgstr ""
 3619 
 3620 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3621 #: sssd.conf.5.xml:3071
 3622 msgid "session_provider (string)"
 3623 msgstr ""
 3624 
 3625 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3626 #: sssd.conf.5.xml:3074
 3627 msgid ""
 3628 "The provider which configures and manages user session related tasks. The "
 3629 "only user session task currently provided is the integration with Fleet "
 3630 "Commander, which works only with IPA.  Supported session providers are:"
 3631 msgstr ""
 3632 
 3633 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3634 #: sssd.conf.5.xml:3081
 3635 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 3636 msgstr ""
 3637 
 3638 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3639 #: sssd.conf.5.xml:3085
 3640 msgid "<quote>none</quote> does not perform any kind of user session related tasks."
 3641 msgstr ""
 3642 
 3643 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3644 #: sssd.conf.5.xml:3089
 3645 msgid ""
 3646 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 3647 "session related tasks."
 3648 msgstr ""
 3649 
 3650 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3651 #: sssd.conf.5.xml:3093
 3652 msgid ""
 3653 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 3654 "SSSD must be running as \"root\" and not as the unprivileged user."
 3655 msgstr ""
 3656 
 3657 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3658 #: sssd.conf.5.xml:3101
 3659 msgid "autofs_provider (string)"
 3660 msgstr ""
 3661 
 3662 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3663 #: sssd.conf.5.xml:3104
 3664 msgid "The autofs provider used for the domain.  Supported autofs providers are:"
 3665 msgstr ""
 3666 
 3667 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3668 #: sssd.conf.5.xml:3108
 3669 msgid ""
 3670 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 3671 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
 3672 "</citerefentry> for more information on configuring LDAP."
 3673 msgstr ""
 3674 
 3675 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3676 #: sssd.conf.5.xml:3115
 3677 msgid ""
 3678 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 3679 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> "
 3680 "</citerefentry> for more information on configuring IPA."
 3681 msgstr ""
 3682 
 3683 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3684 #: sssd.conf.5.xml:3123
 3685 msgid ""
 3686 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 3687 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
 3688 "</citerefentry> for more information on configuring the AD provider."
 3689 msgstr ""
 3690 
 3691 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3692 #: sssd.conf.5.xml:3132
 3693 msgid "<quote>none</quote> disables autofs explicitly."
 3694 msgstr ""
 3695 
 3696 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3697 #: sssd.conf.5.xml:3142
 3698 msgid "hostid_provider (string)"
 3699 msgstr ""
 3700 
 3701 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3702 #: sssd.conf.5.xml:3145
 3703 msgid ""
 3704 "The provider used for retrieving host identity information.  Supported "
 3705 "hostid providers are:"
 3706 msgstr ""
 3707 
 3708 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3709 #: sssd.conf.5.xml:3149
 3710 msgid ""
 3711 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 3712 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
 3713 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 3714 "IPA."
 3715 msgstr ""
 3716 
 3717 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3718 #: sssd.conf.5.xml:3157
 3719 msgid "<quote>none</quote> disables hostid explicitly."
 3720 msgstr ""
 3721 
 3722 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3723 #: sssd.conf.5.xml:3167
 3724 msgid "resolver_provider (string)"
 3725 msgstr ""
 3726 
 3727 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3728 #: sssd.conf.5.xml:3170
 3729 msgid ""
 3730 "The provider which should handle hosts and networks lookups. Supported "
 3731 "resolver providers are:"
 3732 msgstr ""
 3733 
 3734 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3735 #: sssd.conf.5.xml:3174
 3736 msgid ""
 3737 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 3738 "<quote>proxy_resolver_lib_name</quote>"
 3739 msgstr ""
 3740 
 3741 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3742 #: sssd.conf.5.xml:3178
 3743 msgid ""
 3744 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 3745 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
 3746 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 3747 "LDAP."
 3748 msgstr ""
 3749 
 3750 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3751 #: sssd.conf.5.xml:3185
 3752 msgid ""
 3753 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 3754 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
 3755 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 3756 "the AD provider."
 3757 msgstr ""
 3758 
 3759 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3760 #: sssd.conf.5.xml:3193
 3761 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 3762 msgstr ""
 3763 
 3764 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3765 #: sssd.conf.5.xml:3206
 3766 msgid ""
 3767 "Regular expression for this domain that describes how to parse the string "
 3768 "containing user name and domain into these components.  The \"domain\" can "
 3769 "match either the SSSD configuration domain name, or, in the case of IPA "
 3770 "trust subdomains and Active Directory domains, the flat (NetBIOS) name of "
 3771 "the domain."
 3772 msgstr ""
 3773 
 3774 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3775 #: sssd.conf.5.xml:3215
 3776 msgid ""
 3777 "Default for the AD and IPA provider: "
 3778 "<quote>(((?P&lt;domain&gt;[^\\\\]+)\\\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?P&lt;name&gt;[^@\\\\]+)$))</quote> "
 3779 "which allows three different styles for user names:"
 3780 msgstr ""
 3781 
 3782 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 3783 #: sssd.conf.5.xml:3220
 3784 msgid "username"
 3785 msgstr ""
 3786 
 3787 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 3788 #: sssd.conf.5.xml:3223
 3789 msgid "username@domain.name"
 3790 msgstr ""
 3791 
 3792 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 3793 #: sssd.conf.5.xml:3226
 3794 msgid "domain\\username"
 3795 msgstr ""
 3796 
 3797 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3798 #: sssd.conf.5.xml:3229
 3799 msgid ""
 3800 "While the first two correspond to the general default the third one is "
 3801 "introduced to allow easy integration of users from Windows domains."
 3802 msgstr ""
 3803 
 3804 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3805 #: sssd.conf.5.xml:3234
 3806 msgid ""
 3807 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 3808 "which translates to \"the name is everything up to the <quote>@</quote> "
 3809 "sign, the domain everything after that\""
 3810 msgstr ""
 3811 
 3812 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3813 #: sssd.conf.5.xml:3240
 3814 msgid ""
 3815 "NOTE: Some Active Directory groups, typically those used for MS Exchange "
 3816 "contain an <quote>@</quote> sign in the name, which clashes with the default "
 3817 "re_expression value for the AD and IPA providers. To support these groups, "
 3818 "consider changing the re_expression value to: "
 3819 "<quote>((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))</quote>."
 3820 msgstr ""
 3821 
 3822 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3823 #: sssd.conf.5.xml:3291
 3824 msgid "Default: <quote>%1$s@%2$s</quote>."
 3825 msgstr ""
 3826 
 3827 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3828 #: sssd.conf.5.xml:3297
 3829 msgid "lookup_family_order (string)"
 3830 msgstr ""
 3831 
 3832 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3833 #: sssd.conf.5.xml:3300
 3834 msgid ""
 3835 "Provides the ability to select preferred address family to use when "
 3836 "performing DNS lookups."
 3837 msgstr ""
 3838 
 3839 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3840 #: sssd.conf.5.xml:3304
 3841 msgid "Supported values:"
 3842 msgstr ""
 3843 
 3844 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3845 #: sssd.conf.5.xml:3307
 3846 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 3847 msgstr ""
 3848 
 3849 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3850 #: sssd.conf.5.xml:3310
 3851 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 3852 msgstr ""
 3853 
 3854 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3855 #: sssd.conf.5.xml:3313
 3856 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 3857 msgstr ""
 3858 
 3859 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3860 #: sssd.conf.5.xml:3316
 3861 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 3862 msgstr ""
 3863 
 3864 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3865 #: sssd.conf.5.xml:3319
 3866 msgid "Default: ipv4_first"
 3867 msgstr ""
 3868 
 3869 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3870 #: sssd.conf.5.xml:3325
 3871 msgid "dns_resolver_timeout (integer)"
 3872 msgstr ""
 3873 
 3874 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3875 #: sssd.conf.5.xml:3328
 3876 msgid ""
 3877 "Defines the amount of time (in seconds) to wait for a reply from the "
 3878 "internal fail over service before assuming that the service is "
 3879 "unreachable. If this timeout is reached, the domain will continue to operate "
 3880 "in offline mode."
 3881 msgstr ""
 3882 
 3883 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3884 #: sssd.conf.5.xml:3335
 3885 msgid ""
 3886 "Please see the section <quote>FAILOVER</quote> for more information about "
 3887 "the service resolution."
 3888 msgstr ""
 3889 
 3890 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3891 #: sssd.conf.5.xml:3346
 3892 msgid "dns_discovery_domain (string)"
 3893 msgstr ""
 3894 
 3895 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3896 #: sssd.conf.5.xml:3349
 3897 msgid ""
 3898 "If service discovery is used in the back end, specifies the domain part of "
 3899 "the service discovery DNS query."
 3900 msgstr ""
 3901 
 3902 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3903 #: sssd.conf.5.xml:3353
 3904 msgid "Default: Use the domain part of machine's hostname"
 3905 msgstr ""
 3906 
 3907 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3908 #: sssd.conf.5.xml:3359
 3909 msgid "override_gid (integer)"
 3910 msgstr ""
 3911 
 3912 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3913 #: sssd.conf.5.xml:3362
 3914 msgid "Override the primary GID value with the one specified."
 3915 msgstr ""
 3916 
 3917 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3918 #: sssd.conf.5.xml:3368
 3919 msgid "case_sensitive (string)"
 3920 msgstr ""
 3921 
 3922 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 3923 #: sssd.conf.5.xml:3379
 3924 msgid "True"
 3925 msgstr ""
 3926 
 3927 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 3928 #: sssd.conf.5.xml:3382
 3929 msgid "Case sensitive. This value is invalid for AD provider."
 3930 msgstr ""
 3931 
 3932 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 3933 #: sssd.conf.5.xml:3388
 3934 msgid "False"
 3935 msgstr ""
 3936 
 3937 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 3938 #: sssd.conf.5.xml:3390
 3939 msgid "Case insensitive."
 3940 msgstr ""
 3941 
 3942 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 3943 #: sssd.conf.5.xml:3394
 3944 msgid "Preserving"
 3945 msgstr ""
 3946 
 3947 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 3948 #: sssd.conf.5.xml:3397
 3949 msgid ""
 3950 "Same as False (case insensitive), but does not lowercase names in the result "
 3951 "of NSS operations. Note that name aliases (and in case of services also "
 3952 "protocol names) are still lowercased in the output."
 3953 msgstr ""
 3954 
 3955 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 3956 #: sssd.conf.5.xml:3405
 3957 msgid ""
 3958 "If you want to set this value for trusted domain with IPA provider, you need "
 3959 "to set it on both the client and SSSD on the server."
 3960 msgstr ""
 3961 
 3962 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3963 #: sssd.conf.5.xml:3371
 3964 msgid ""
 3965 "Treat user and group names as case sensitive.  <phrase "
 3966 "condition=\"enable_local_provider\"> At the moment, this option is not "
 3967 "supported in the local provider.  </phrase> Possible option values are: "
 3968 "<placeholder type=\"variablelist\" id=\"0\"/>"
 3969 msgstr ""
 3970 
 3971 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3972 #: sssd.conf.5.xml:3415
 3973 msgid ""
 3974 "This option can be also set per subdomain or inherited via "
 3975 "<emphasis>subdomain_inherit</emphasis>."
 3976 msgstr ""
 3977 
 3978 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3979 #: sssd.conf.5.xml:3420
 3980 msgid "Default: True (False for AD provider)"
 3981 msgstr ""
 3982 
 3983 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 3984 #: sssd.conf.5.xml:3426
 3985 msgid "subdomain_inherit (string)"
 3986 msgstr ""
 3987 
 3988 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3989 #: sssd.conf.5.xml:3429
 3990 msgid ""
 3991 "Specifies a list of configuration parameters that should be inherited by a "
 3992 "subdomain. Please note that only selected parameters can be inherited.  "
 3993 "Currently the following options can be inherited:"
 3994 msgstr ""
 3995 
 3996 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 3997 #: sssd.conf.5.xml:3435
 3998 msgid "ignore_group_members"
 3999 msgstr ""
 4000 
 4001 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4002 #: sssd.conf.5.xml:3438
 4003 msgid "ldap_purge_cache_timeout"
 4004 msgstr ""
 4005 
 4006 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4007 #: sssd.conf.5.xml:3441 sssd-ldap.5.xml:390
 4008 msgid "ldap_use_tokengroups"
 4009 msgstr ""
 4010 
 4011 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4012 #: sssd.conf.5.xml:3444
 4013 msgid "ldap_user_principal"
 4014 msgstr ""
 4015 
 4016 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4017 #: sssd.conf.5.xml:3447
 4018 msgid ""
 4019 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 4020 "is not set explicitly)"
 4021 msgstr ""
 4022 
 4023 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4024 #: sssd.conf.5.xml:3451
 4025 msgid "auto_private_groups"
 4026 msgstr ""
 4027 
 4028 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4029 #: sssd.conf.5.xml:3454
 4030 msgid "case_sensitive"
 4031 msgstr ""
 4032 
 4033 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
 4034 #: sssd.conf.5.xml:3459
 4035 #, no-wrap
 4036 msgid ""
 4037 "subdomain_inherit = ldap_purge_cache_timeout\n"
 4038 "                            "
 4039 msgstr ""
 4040 
 4041 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4042 #: sssd.conf.5.xml:3466
 4043 msgid "Note: This option only works with the IPA and AD provider."
 4044 msgstr ""
 4045 
 4046 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4047 #: sssd.conf.5.xml:3473
 4048 msgid "subdomain_homedir (string)"
 4049 msgstr ""
 4050 
 4051 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 4052 #: sssd.conf.5.xml:3484
 4053 msgid "%F"
 4054 msgstr ""
 4055 
 4056 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4057 #: sssd.conf.5.xml:3485
 4058 msgid "flat (NetBIOS) name of a subdomain."
 4059 msgstr ""
 4060 
 4061 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4062 #: sssd.conf.5.xml:3476
 4063 msgid ""
 4064 "Use this homedir as default value for all subdomains within this domain in "
 4065 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
 4066 "possible values. In addition to those, the expansion below can only be used "
 4067 "with <emphasis>subdomain_homedir</emphasis>.  <placeholder "
 4068 "type=\"variablelist\" id=\"0\"/>"
 4069 msgstr ""
 4070 
 4071 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4072 #: sssd.conf.5.xml:3490
 4073 msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 4074 msgstr ""
 4075 
 4076 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4077 #: sssd.conf.5.xml:3494
 4078 msgid "Default: <filename>/home/%d/%u</filename>"
 4079 msgstr ""
 4080 
 4081 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4082 #: sssd.conf.5.xml:3499
 4083 msgid "realmd_tags (string)"
 4084 msgstr ""
 4085 
 4086 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4087 #: sssd.conf.5.xml:3502
 4088 msgid "Various tags stored by the realmd configuration service for this domain."
 4089 msgstr ""
 4090 
 4091 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4092 #: sssd.conf.5.xml:3508
 4093 msgid "cached_auth_timeout (int)"
 4094 msgstr ""
 4095 
 4096 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4097 #: sssd.conf.5.xml:3511
 4098 msgid ""
 4099 "Specifies time in seconds since last successful online authentication for "
 4100 "which user will be authenticated using cached credentials while SSSD is in "
 4101 "the online mode. If the credentials are incorrect, SSSD falls back to online "
 4102 "authentication."
 4103 msgstr ""
 4104 
 4105 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4106 #: sssd.conf.5.xml:3519
 4107 msgid ""
 4108 "This option's value is inherited by all trusted domains. At the moment it is "
 4109 "not possible to set a different value per trusted domain."
 4110 msgstr ""
 4111 
 4112 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4113 #: sssd.conf.5.xml:3524
 4114 msgid "Special value 0 implies that this feature is disabled."
 4115 msgstr ""
 4116 
 4117 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4118 #: sssd.conf.5.xml:3528
 4119 msgid ""
 4120 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 4121 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
 4122 "<quote>initgroups.</quote>"
 4123 msgstr ""
 4124 
 4125 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4126 #: sssd.conf.5.xml:3539
 4127 msgid "auto_private_groups (string)"
 4128 msgstr ""
 4129 
 4130 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 4131 #: sssd.conf.5.xml:3545
 4132 msgid "true"
 4133 msgstr ""
 4134 
 4135 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4136 #: sssd.conf.5.xml:3548
 4137 msgid ""
 4138 "Create user's private group unconditionally from user's UID number.  The GID "
 4139 "number is ignored in this case."
 4140 msgstr ""
 4141 
 4142 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4143 #: sssd.conf.5.xml:3552
 4144 msgid ""
 4145 "NOTE: Because the GID number and the user private group are inferred from "
 4146 "the UID number, it is not supported to have multiple entries with the same "
 4147 "UID or GID number with this option. In other words, enabling this option "
 4148 "enforces uniqueness across the ID space."
 4149 msgstr ""
 4150 
 4151 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 4152 #: sssd.conf.5.xml:3561
 4153 msgid "false"
 4154 msgstr ""
 4155 
 4156 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4157 #: sssd.conf.5.xml:3564
 4158 msgid ""
 4159 "Always use the user's primary GID number. The GID number must refer to a "
 4160 "group object in the LDAP database."
 4161 msgstr ""
 4162 
 4163 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 4164 #: sssd.conf.5.xml:3570
 4165 msgid "hybrid"
 4166 msgstr ""
 4167 
 4168 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4169 #: sssd.conf.5.xml:3573
 4170 msgid ""
 4171 "A primary group is autogenerated for user entries whose UID and GID numbers "
 4172 "have the same value and at the same time the GID number does not correspond "
 4173 "to a real group object in LDAP.  If the values are the same, but the primary "
 4174 "GID in the user entry is also used by a group object, the primary GID of the "
 4175 "user resolves to that group object."
 4176 msgstr ""
 4177 
 4178 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4179 #: sssd.conf.5.xml:3586
 4180 msgid ""
 4181 "If the UID and GID of a user are different, then the GID must correspond to "
 4182 "a group entry, otherwise the GID is simply not resolvable."
 4183 msgstr ""
 4184 
 4185 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4186 #: sssd.conf.5.xml:3593
 4187 msgid ""
 4188 "This feature is useful for environments that wish to stop maintaining a "
 4189 "separate group objects for the user private groups, but also wish to retain "
 4190 "the existing user private groups."
 4191 msgstr ""
 4192 
 4193 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4194 #: sssd.conf.5.xml:3542
 4195 msgid ""
 4196 "This option takes any of three available values: <placeholder "
 4197 "type=\"variablelist\" id=\"0\"/>"
 4198 msgstr ""
 4199 
 4200 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4201 #: sssd.conf.5.xml:3605
 4202 msgid ""
 4203 "For subdomains, the default value is False for subdomains that use assigned "
 4204 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 4205 msgstr ""
 4206 
 4207 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
 4208 #: sssd.conf.5.xml:3613
 4209 #, no-wrap
 4210 msgid ""
 4211 "[domain/forest.domain/sub.domain]\n"
 4212 "auto_private_groups = false\n"
 4213 msgstr ""
 4214 
 4215 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
 4216 #: sssd.conf.5.xml:3619
 4217 #, no-wrap
 4218 msgid ""
 4219 "[domain/forest.domain]\n"
 4220 "subdomain_inherit = auto_private_groups\n"
 4221 "auto_private_groups = false\n"
 4222 msgstr ""
 4223 
 4224 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4225 #: sssd.conf.5.xml:3610
 4226 msgid ""
 4227 "The value of auto_private_groups can either be set per subdomains in a "
 4228 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
 4229 "globally for all subdomains in the main domain section using the "
 4230 "subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
 4231 msgstr ""
 4232 
 4233 #. type: Content of: <reference><refentry><refsect1><para>
 4234 #: sssd.conf.5.xml:2233
 4235 msgid ""
 4236 "These configuration options can be present in a domain configuration "
 4237 "section, that is, in a section called "
 4238 "<quote>[domain/<replaceable>NAME</replaceable>]</quote> <placeholder "
 4239 "type=\"variablelist\" id=\"0\"/>"
 4240 msgstr ""
 4241 
 4242 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4243 #: sssd.conf.5.xml:3634
 4244 msgid "proxy_pam_target (string)"
 4245 msgstr ""
 4246 
 4247 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4248 #: sssd.conf.5.xml:3637
 4249 msgid "The proxy target PAM proxies to."
 4250 msgstr ""
 4251 
 4252 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4253 #: sssd.conf.5.xml:3640
 4254 msgid ""
 4255 "Default: not set by default, you have to take an existing pam configuration "
 4256 "or create a new one and add the service name here."
 4257 msgstr ""
 4258 
 4259 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4260 #: sssd.conf.5.xml:3648
 4261 msgid "proxy_lib_name (string)"
 4262 msgstr ""
 4263 
 4264 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4265 #: sssd.conf.5.xml:3651
 4266 msgid ""
 4267 "The name of the NSS library to use in proxy domains. The NSS functions "
 4268 "searched for in the library are in the form of _nss_$(libName)_$(function), "
 4269 "for example _nss_files_getpwent."
 4270 msgstr ""
 4271 
 4272 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4273 #: sssd.conf.5.xml:3661
 4274 msgid "proxy_resolver_lib_name (string)"
 4275 msgstr ""
 4276 
 4277 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4278 #: sssd.conf.5.xml:3664
 4279 msgid ""
 4280 "The name of the NSS library to use for hosts and networks lookups in proxy "
 4281 "domains. The NSS functions searched for in the library are in the form of "
 4282 "_nss_$(libName)_$(function), for example _nss_dns_gethostbyname2_r."
 4283 msgstr ""
 4284 
 4285 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4286 #: sssd.conf.5.xml:3675
 4287 msgid "proxy_fast_alias (boolean)"
 4288 msgstr ""
 4289 
 4290 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4291 #: sssd.conf.5.xml:3678
 4292 msgid ""
 4293 "When a user or group is looked up by name in the proxy provider, a second "
 4294 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
 4295 "name was an alias. Setting this option to true would cause the SSSD to "
 4296 "perform the ID lookup from cache for performance reasons."
 4297 msgstr ""
 4298 
 4299 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4300 #: sssd.conf.5.xml:3692
 4301 msgid "proxy_max_children (integer)"
 4302 msgstr ""
 4303 
 4304 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4305 #: sssd.conf.5.xml:3695
 4306 msgid ""
 4307 "This option specifies the number of pre-forked proxy children. It is useful "
 4308 "for high-load SSSD environments where sssd may run out of available child "
 4309 "slots, which would cause some issues due to the requests being queued."
 4310 msgstr ""
 4311 
 4312 #. type: Content of: <reference><refentry><refsect1><para>
 4313 #: sssd.conf.5.xml:3630
 4314 msgid ""
 4315 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 4316 "id=\"0\"/>"
 4317 msgstr ""
 4318 
 4319 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 4320 #: sssd.conf.5.xml:3711
 4321 msgid "Application domains"
 4322 msgstr ""
 4323 
 4324 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 4325 #: sssd.conf.5.xml:3713
 4326 msgid ""
 4327 "SSSD, with its D-Bus interface (see <citerefentry> "
 4328 "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> "
 4329 "</citerefentry>) is appealing to applications as a gateway to an LDAP "
 4330 "directory where users and groups are stored. However, contrary to the "
 4331 "traditional SSSD deployment where all users and groups either have POSIX "
 4332 "attributes or those attributes can be inferred from the Windows SIDs, in "
 4333 "many cases the users and groups in the application support scenario have no "
 4334 "POSIX attributes.  Instead of setting a "
 4335 "<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the "
 4336 "administrator can set up an "
 4337 "<quote>[application/<replaceable>NAME</replaceable>]</quote> section that "
 4338 "internally represents a domain with type <quote>application</quote> "
 4339 "optionally inherits settings from a tradition SSSD domain."
 4340 msgstr ""
 4341 
 4342 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 4343 #: sssd.conf.5.xml:3733
 4344 msgid ""
 4345 "Please note that the application domain must still be explicitly enabled in "
 4346 "the <quote>domains</quote> parameter so that the lookup order between the "
 4347 "application domain and its POSIX sibling domain is set correctly."
 4348 msgstr ""
 4349 
 4350 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
 4351 #: sssd.conf.5.xml:3739
 4352 msgid "Application domain parameters"
 4353 msgstr ""
 4354 
 4355 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4356 #: sssd.conf.5.xml:3741
 4357 msgid "inherit_from (string)"
 4358 msgstr ""
 4359 
 4360 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4361 #: sssd.conf.5.xml:3744
 4362 msgid ""
 4363 "The SSSD POSIX-type domain the application domain inherits all settings "
 4364 "from. The application domain can moreover add its own settings to the "
 4365 "application settings that augment or override the <quote>sibling</quote> "
 4366 "domain settings."
 4367 msgstr ""
 4368 
 4369 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 4370 #: sssd.conf.5.xml:3758
 4371 msgid ""
 4372 "The following example illustrates the use of an application domain. In this "
 4373 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
 4374 "through the NSS responder. In addition, the application domain also requests "
 4375 "the telephoneNumber attribute, stores it as the phone attribute in the cache "
 4376 "and makes the phone attribute reachable through the D-Bus interface."
 4377 msgstr ""
 4378 
 4379 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
 4380 #: sssd.conf.5.xml:3766
 4381 #, no-wrap
 4382 msgid ""
 4383 "[sssd]\n"
 4384 "domains = appdom, posixdom\n"
 4385 "\n"
 4386 "[ifp]\n"
 4387 "user_attributes = +phone\n"
 4388 "\n"
 4389 "[domain/posixdom]\n"
 4390 "id_provider = ldap\n"
 4391 "ldap_uri = ldap://ldap.example.com\n"
 4392 "ldap_search_base = dc=example,dc=com\n"
 4393 "\n"
 4394 "[application/appdom]\n"
 4395 "inherit_from = posixdom\n"
 4396 "ldap_user_extra_attrs = phone:telephoneNumber\n"
 4397 msgstr ""
 4398 
 4399 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 4400 #: sssd.conf.5.xml:3784
 4401 msgid "The local domain section"
 4402 msgstr ""
 4403 
 4404 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 4405 #: sssd.conf.5.xml:3786
 4406 msgid ""
 4407 "This section contains settings for domain that stores users and groups in "
 4408 "SSSD native database, that is, a domain that uses "
 4409 "<replaceable>id_provider=local</replaceable>."
 4410 msgstr ""
 4411 
 4412 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4413 #: sssd.conf.5.xml:3793
 4414 msgid "default_shell (string)"
 4415 msgstr ""
 4416 
 4417 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4418 #: sssd.conf.5.xml:3796
 4419 msgid "The default shell for users created with SSSD userspace tools."
 4420 msgstr ""
 4421 
 4422 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4423 #: sssd.conf.5.xml:3800
 4424 msgid "Default: <filename>/bin/bash</filename>"
 4425 msgstr ""
 4426 
 4427 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4428 #: sssd.conf.5.xml:3805
 4429 msgid "base_directory (string)"
 4430 msgstr ""
 4431 
 4432 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4433 #: sssd.conf.5.xml:3808
 4434 msgid ""
 4435 "The tools append the login name to <replaceable>base_directory</replaceable> "
 4436 "and use that as the home directory."
 4437 msgstr ""
 4438 
 4439 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4440 #: sssd.conf.5.xml:3813
 4441 msgid "Default: <filename>/home</filename>"
 4442 msgstr ""
 4443 
 4444 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4445 #: sssd.conf.5.xml:3818
 4446 msgid "create_homedir (bool)"
 4447 msgstr ""
 4448 
 4449 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4450 #: sssd.conf.5.xml:3821
 4451 msgid ""
 4452 "Indicate if a home directory should be created by default for new users.  "
 4453 "Can be overridden on command line."
 4454 msgstr ""
 4455 
 4456 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4457 #: sssd.conf.5.xml:3825 sssd.conf.5.xml:3837
 4458 msgid "Default: TRUE"
 4459 msgstr ""
 4460 
 4461 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4462 #: sssd.conf.5.xml:3830
 4463 msgid "remove_homedir (bool)"
 4464 msgstr ""
 4465 
 4466 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4467 #: sssd.conf.5.xml:3833
 4468 msgid ""
 4469 "Indicate if a home directory should be removed by default for deleted "
 4470 "users.  Can be overridden on command line."
 4471 msgstr ""
 4472 
 4473 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4474 #: sssd.conf.5.xml:3842
 4475 msgid "homedir_umask (integer)"
 4476 msgstr ""
 4477 
 4478 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4479 #: sssd.conf.5.xml:3845
 4480 msgid ""
 4481 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 4482 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
 4483 "on a newly created home directory."
 4484 msgstr ""
 4485 
 4486 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4487 #: sssd.conf.5.xml:3853
 4488 msgid "Default: 077"
 4489 msgstr ""
 4490 
 4491 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4492 #: sssd.conf.5.xml:3858
 4493 msgid "skel_dir (string)"
 4494 msgstr ""
 4495 
 4496 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4497 #: sssd.conf.5.xml:3861
 4498 msgid ""
 4499 "The skeleton directory, which contains files and directories to be copied in "
 4500 "the user's home directory, when the home directory is created by "
 4501 "<citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 4502 "<manvolnum>8</manvolnum> </citerefentry>"
 4503 msgstr ""
 4504 
 4505 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4506 #: sssd.conf.5.xml:3871
 4507 msgid "Default: <filename>/etc/skel</filename>"
 4508 msgstr ""
 4509 
 4510 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4511 #: sssd.conf.5.xml:3876
 4512 msgid "mail_dir (string)"
 4513 msgstr ""
 4514 
 4515 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4516 #: sssd.conf.5.xml:3879
 4517 msgid ""
 4518 "The mail spool directory. This is needed to manipulate the mailbox when its "
 4519 "corresponding user account is modified or deleted.  If not specified, a "
 4520 "default value is used."
 4521 msgstr ""
 4522 
 4523 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4524 #: sssd.conf.5.xml:3886
 4525 msgid "Default: <filename>/var/mail</filename>"
 4526 msgstr ""
 4527 
 4528 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 4529 #: sssd.conf.5.xml:3891
 4530 msgid "userdel_cmd (string)"
 4531 msgstr ""
 4532 
 4533 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4534 #: sssd.conf.5.xml:3894
 4535 msgid ""
 4536 "The command that is run after a user is removed.  The command us passed the "
 4537 "username of the user being removed as the first and only parameter. The "
 4538 "return code of the command is not taken into account."
 4539 msgstr ""
 4540 
 4541 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 4542 #: sssd.conf.5.xml:3900
 4543 msgid "Default: None, no command is run"
 4544 msgstr ""
 4545 
 4546 #. type: Content of: <reference><refentry><refsect1><title>
 4547 #: sssd.conf.5.xml:3910
 4548 msgid "TRUSTED DOMAIN SECTION"
 4549 msgstr ""
 4550 
 4551 #. type: Content of: <reference><refentry><refsect1><para>
 4552 #: sssd.conf.5.xml:3912
 4553 msgid ""
 4554 "Some options used in the domain section can also be used in the trusted "
 4555 "domain section, that is, in a section called "
 4556 "<quote>[domain/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</replaceable>]</quote>.  "
 4557 "Where DOMAIN_NAME is the actual joined-to base domain. Please refer to "
 4558 "examples below for explanation.  Currently supported options in the trusted "
 4559 "domain section are:"
 4560 msgstr ""
 4561 
 4562 #. type: Content of: <reference><refentry><refsect1><para>
 4563 #: sssd.conf.5.xml:3919
 4564 msgid "ldap_search_base,"
 4565 msgstr ""
 4566 
 4567 #. type: Content of: <reference><refentry><refsect1><para>
 4568 #: sssd.conf.5.xml:3920
 4569 msgid "ldap_user_search_base,"
 4570 msgstr ""
 4571 
 4572 #. type: Content of: <reference><refentry><refsect1><para>
 4573 #: sssd.conf.5.xml:3921
 4574 msgid "ldap_group_search_base,"
 4575 msgstr ""
 4576 
 4577 #. type: Content of: <reference><refentry><refsect1><para>
 4578 #: sssd.conf.5.xml:3922
 4579 msgid "ldap_netgroup_search_base,"
 4580 msgstr ""
 4581 
 4582 #. type: Content of: <reference><refentry><refsect1><para>
 4583 #: sssd.conf.5.xml:3923
 4584 msgid "ldap_service_search_base,"
 4585 msgstr ""
 4586 
 4587 #. type: Content of: <reference><refentry><refsect1><para>
 4588 #: sssd.conf.5.xml:3924
 4589 msgid "ldap_sasl_mech,"
 4590 msgstr ""
 4591 
 4592 #. type: Content of: <reference><refentry><refsect1><para>
 4593 #: sssd.conf.5.xml:3925
 4594 msgid "ad_server,"
 4595 msgstr ""
 4596 
 4597 #. type: Content of: <reference><refentry><refsect1><para>
 4598 #: sssd.conf.5.xml:3926
 4599 msgid "ad_backup_server,"
 4600 msgstr ""
 4601 
 4602 #. type: Content of: <reference><refentry><refsect1><para>
 4603 #: sssd.conf.5.xml:3927
 4604 msgid "ad_site,"
 4605 msgstr ""
 4606 
 4607 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 4608 #: sssd.conf.5.xml:3928 sssd-ipa.5.xml:811
 4609 msgid "use_fully_qualified_names"
 4610 msgstr ""
 4611 
 4612 #. type: Content of: <reference><refentry><refsect1><para>
 4613 #: sssd.conf.5.xml:3932
 4614 msgid ""
 4615 "For more details about these options see their individual description in the "
 4616 "manual page."
 4617 msgstr ""
 4618 
 4619 #. type: Content of: <reference><refentry><refsect1><title>
 4620 #: sssd.conf.5.xml:3938
 4621 msgid "CERTIFICATE MAPPING SECTION"
 4622 msgstr ""
 4623 
 4624 #. type: Content of: <reference><refentry><refsect1><para>
 4625 #: sssd.conf.5.xml:3940
 4626 msgid ""
 4627 "To allow authentication with Smartcards and certificates SSSD must be able "
 4628 "to map certificates to users. This can be done by adding the full "
 4629 "certificate to the LDAP object of the user or to a local override. While "
 4630 "using the full certificate is required to use the Smartcard authentication "
 4631 "feature of SSH (see <citerefentry> "
 4632 "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> "
 4633 "<manvolnum>8</manvolnum> </citerefentry> for details) it might be cumbersome "
 4634 "or not even possible to do this for the general case where local services "
 4635 "use PAM for authentication."
 4636 msgstr ""
 4637 
 4638 #. type: Content of: <reference><refentry><refsect1><para>
 4639 #: sssd.conf.5.xml:3954
 4640 msgid ""
 4641 "To make the mapping more flexible mapping and matching rules were added to "
 4642 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
 4643 "<manvolnum>5</manvolnum> </citerefentry> for details)."
 4644 msgstr ""
 4645 
 4646 #. type: Content of: <reference><refentry><refsect1><para>
 4647 #: sssd.conf.5.xml:3963
 4648 msgid ""
 4649 "A mapping and matching rule can be added to the SSSD configuration in a "
 4650 "section on its own with a name like "
 4651 "<quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.  "
 4652 "In this section the following options are allowed:"
 4653 msgstr ""
 4654 
 4655 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 4656 #: sssd.conf.5.xml:3970
 4657 msgid "matchrule (string)"
 4658 msgstr ""
 4659 
 4660 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 4661 #: sssd.conf.5.xml:3973
 4662 msgid ""
 4663 "Only certificates from the Smartcard which matches this rule will be "
 4664 "processed, all others are ignored."
 4665 msgstr ""
 4666 
 4667 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 4668 #: sssd.conf.5.xml:3977
 4669 msgid ""
 4670 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 4671 "Extended Key Usage <quote>clientAuth</quote>"
 4672 msgstr ""
 4673 
 4674 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 4675 #: sssd.conf.5.xml:3984
 4676 msgid "maprule (string)"
 4677 msgstr ""
 4678 
 4679 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 4680 #: sssd.conf.5.xml:3987
 4681 msgid "Defines how the user is found for a given certificate."
 4682 msgstr ""
 4683 
 4684 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 4685 #: sssd.conf.5.xml:3993
 4686 msgid ""
 4687 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 4688 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 4689 msgstr ""
 4690 
 4691 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 4692 #: sssd.conf.5.xml:3999
 4693 msgid ""
 4694 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 4695 "user with the same name."
 4696 msgstr ""
 4697 
 4698 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 4699 #: sssd.conf.5.xml:4008
 4700 msgid "domains (string)"
 4701 msgstr ""
 4702 
 4703 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 4704 #: sssd.conf.5.xml:4011
 4705 msgid ""
 4706 "Comma separated list of domain names the rule should be applied. By default "
 4707 "a rule is only valid in the domain configured in sssd.conf. If the provider "
 4708 "supports subdomains this option can be used to add the rule to subdomains as "
 4709 "well."
 4710 msgstr ""
 4711 
 4712 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 4713 #: sssd.conf.5.xml:4018
 4714 msgid "Default: the configured domain in sssd.conf"
 4715 msgstr ""
 4716 
 4717 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 4718 #: sssd.conf.5.xml:4023
 4719 msgid "priority (integer)"
 4720 msgstr ""
 4721 
 4722 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 4723 #: sssd.conf.5.xml:4026
 4724 msgid ""
 4725 "Unsigned integer value defining the priority of the rule. The higher the "
 4726 "number the lower the priority.  <quote>0</quote> stands for the highest "
 4727 "priority while <quote>4294967295</quote> is the lowest."
 4728 msgstr ""
 4729 
 4730 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 4731 #: sssd.conf.5.xml:4032
 4732 msgid "Default: the lowest priority"
 4733 msgstr ""
 4734 
 4735 #. type: Content of: <reference><refentry><refsect1><para>
 4736 #: sssd.conf.5.xml:4038
 4737 msgid ""
 4738 "To make the configuration simple and reduce the amount of configuration "
 4739 "options the <quote>files</quote> provider has some special properties:"
 4740 msgstr ""
 4741 
 4742 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 4743 #: sssd.conf.5.xml:4044
 4744 msgid ""
 4745 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 4746 "matching user"
 4747 msgstr ""
 4748 
 4749 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 4750 #: sssd.conf.5.xml:4050
 4751 msgid ""
 4752 "if a maprule is used both a single user name or a template like "
 4753 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like "
 4754 "e.g. <quote>(username)</quote> or "
 4755 "<quote>({subject_rfc822_name.short_name})</quote>"
 4756 msgstr ""
 4757 
 4758 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 4759 #: sssd.conf.5.xml:4059
 4760 msgid "the <quote>domains</quote> option is ignored"
 4761 msgstr ""
 4762 
 4763 #. type: Content of: <reference><refentry><refsect1><title>
 4764 #: sssd.conf.5.xml:4067
 4765 msgid "PROMPTING CONFIGURATION SECTION"
 4766 msgstr ""
 4767 
 4768 #. type: Content of: <reference><refentry><refsect1><para>
 4769 #: sssd.conf.5.xml:4069
 4770 msgid ""
 4771 "If a special file "
 4772 "(<filename>/var/lib/sss/pubconf/pam_preauth_available</filename>)  exists "
 4773 "SSSD's PAM module pam_sss will ask SSSD to figure out which authentication "
 4774 "methods are available for the user trying to log in.  Based on the results "
 4775 "pam_sss will prompt the user for appropriate credentials."
 4776 msgstr ""
 4777 
 4778 #. type: Content of: <reference><refentry><refsect1><para>
 4779 #: sssd.conf.5.xml:4077
 4780 msgid ""
 4781 "With the growing number of authentication methods and the possibility that "
 4782 "there are multiple ones for a single user the heuristic used by pam_sss to "
 4783 "select the prompting might not be suitable for all use cases. The following "
 4784 "options should provide a better flexibility here."
 4785 msgstr ""
 4786 
 4787 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4788 #: sssd.conf.5.xml:4089
 4789 msgid "[prompting/password]"
 4790 msgstr ""
 4791 
 4792 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 4793 #: sssd.conf.5.xml:4092
 4794 msgid "password_prompt"
 4795 msgstr ""
 4796 
 4797 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4798 #: sssd.conf.5.xml:4093
 4799 msgid "to change the string of the password prompt"
 4800 msgstr ""
 4801 
 4802 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4803 #: sssd.conf.5.xml:4091
 4804 msgid ""
 4805 "to configure password prompting, allowed options are: <placeholder "
 4806 "type=\"variablelist\" id=\"0\"/>"
 4807 msgstr ""
 4808 
 4809 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 4810 #: sssd.conf.5.xml:4101
 4811 msgid "[prompting/2fa]"
 4812 msgstr ""
 4813 
 4814 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 4815 #: sssd.conf.5.xml:4105
 4816 msgid "first_prompt"
 4817 msgstr ""
 4818 
 4819 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4820 #: sssd.conf.5.xml:4106
 4821 msgid "to change the string of the prompt for the first factor"
 4822 msgstr ""
 4823 
 4824 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 4825 #: sssd.conf.5.xml:4109
 4826 msgid "second_prompt"
 4827 msgstr ""
 4828 
 4829 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4830 #: sssd.conf.5.xml:4110
 4831 msgid "to change the string of the prompt for the second factor"
 4832 msgstr ""
 4833 
 4834 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 4835 #: sssd.conf.5.xml:4113
 4836 msgid "single_prompt"
 4837 msgstr ""
 4838 
 4839 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 4840 #: sssd.conf.5.xml:4114
 4841 msgid ""
 4842 "boolean value, if True there will be only a single prompt using the value of "
 4843 "first_prompt where it is expected that both factors are entered as a single "
 4844 "string"
 4845 msgstr ""
 4846 
 4847 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 4848 #: sssd.conf.5.xml:4103
 4849 msgid ""
 4850 "to configure two-factor authentication prompting, allowed options are: "
 4851 "<placeholder type=\"variablelist\" id=\"0\"/>"
 4852 msgstr ""
 4853 
 4854 #. type: Content of: <reference><refentry><refsect1><para>
 4855 #: sssd.conf.5.xml:4084
 4856 msgid ""
 4857 "Each supported authentication method has its own configuration subsection "
 4858 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
 4859 "type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" "
 4860 "id=\"1\"/>"
 4861 msgstr ""
 4862 
 4863 #. type: Content of: <reference><refentry><refsect1><para>
 4864 #: sssd.conf.5.xml:4126
 4865 msgid ""
 4866 "It is possible to add a subsection for specific PAM services, "
 4867 "e.g. <quote>[prompting/password/sshd]</quote> to individual change the "
 4868 "prompting for this service."
 4869 msgstr ""
 4870 
 4871 #. type: Content of: <reference><refentry><refsect1><title>
 4872 #: sssd.conf.5.xml:4133 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 4873 msgid "EXAMPLES"
 4874 msgstr ""
 4875 
 4876 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 4877 #: sssd.conf.5.xml:4139
 4878 #, no-wrap
 4879 msgid ""
 4880 "[sssd]\n"
 4881 "domains = LDAP\n"
 4882 "services = nss, pam\n"
 4883 "config_file_version = 2\n"
 4884 "\n"
 4885 "[nss]\n"
 4886 "filter_groups = root\n"
 4887 "filter_users = root\n"
 4888 "\n"
 4889 "[pam]\n"
 4890 "\n"
 4891 "[domain/LDAP]\n"
 4892 "id_provider = ldap\n"
 4893 "ldap_uri = ldap://ldap.example.com\n"
 4894 "ldap_search_base = dc=example,dc=com\n"
 4895 "\n"
 4896 "auth_provider = krb5\n"
 4897 "krb5_server = kerberos.example.com\n"
 4898 "krb5_realm = EXAMPLE.COM\n"
 4899 "cache_credentials = true\n"
 4900 "\n"
 4901 "min_id = 10000\n"
 4902 "max_id = 20000\n"
 4903 "enumerate = False\n"
 4904 msgstr ""
 4905 
 4906 #. type: Content of: <reference><refentry><refsect1><para>
 4907 #: sssd.conf.5.xml:4135
 4908 msgid ""
 4909 "1. The following example shows a typical SSSD config. It does not describe "
 4910 "configuration of the domains themselves - refer to documentation on "
 4911 "configuring domains for more details.  <placeholder type=\"programlisting\" "
 4912 "id=\"0\"/>"
 4913 msgstr ""
 4914 
 4915 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 4916 #: sssd.conf.5.xml:4172
 4917 #, no-wrap
 4918 msgid ""
 4919 "[domain/ipa.com/child.ad.com]\n"
 4920 "use_fully_qualified_names = false\n"
 4921 msgstr ""
 4922 
 4923 #. type: Content of: <reference><refentry><refsect1><para>
 4924 #: sssd.conf.5.xml:4166
 4925 msgid ""
 4926 "2. The following example shows configuration of IPA AD trust where the AD "
 4927 "forest consists of two domains in a parent-child structure.  Suppose IPA "
 4928 "domain (ipa.com) has trust with AD domain(ad.com).  ad.com has child domain "
 4929 "(child.ad.com). To enable shortnames in the child domain the following "
 4930 "configuration should be used.  <placeholder type=\"programlisting\" "
 4931 "id=\"0\"/>"
 4932 msgstr ""
 4933 
 4934 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 4935 #: sssd.conf.5.xml:4186
 4936 #, no-wrap
 4937 msgid ""
 4938 "[certmap/my.domain/rule_name]\n"
 4939 "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$\n"
 4940 "maprule = (userCertificate;binary={cert!bin})\n"
 4941 "domains = my.domain, your.domain\n"
 4942 "priority = 10\n"
 4943 "\n"
 4944 "[certmap/files/myname]\n"
 4945 "matchrule = "
 4946 "&lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$\n"
 4947 msgstr ""
 4948 
 4949 #. type: Content of: <reference><refentry><refsect1><para>
 4950 #: sssd.conf.5.xml:4177
 4951 msgid ""
 4952 "3. The following example shows the configuration for two certificate mapping "
 4953 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
 4954 "and additionally for the subdomains <quote>your.domain</quote> and uses the "
 4955 "full certificate in the search filter. The second example is valid for the "
 4956 "domain <quote>files</quote> where it is assumed the files provider is used "
 4957 "for this domain and contains a matching rule for the local user "
 4958 "<quote>myname</quote>.  <placeholder type=\"programlisting\" id=\"0\"/>"
 4959 msgstr ""
 4960 
 4961 #. type: Content of: <reference><refentry><refnamediv><refname>
 4962 #: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
 4963 msgid "sssd-ldap"
 4964 msgstr ""
 4965 
 4966 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 4967 #: sssd-ldap.5.xml:17
 4968 msgid "SSSD LDAP provider"
 4969 msgstr ""
 4970 
 4971 #. type: Content of: <reference><refentry><refsect1><para>
 4972 #: sssd-ldap.5.xml:23
 4973 msgid ""
 4974 "This manual page describes the configuration of LDAP domains for "
 4975 "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
 4976 "</citerefentry>.  Refer to the <quote>FILE FORMAT</quote> section of the "
 4977 "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
 4978 "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax "
 4979 "information."
 4980 msgstr ""
 4981 
 4982 #. type: Content of: <reference><refentry><refsect1><para>
 4983 #: sssd-ldap.5.xml:35
 4984 msgid "You can configure SSSD to use more than one LDAP domain."
 4985 msgstr ""
 4986 
 4987 #. type: Content of: <reference><refentry><refsect1><para>
 4988 #: sssd-ldap.5.xml:38
 4989 msgid ""
 4990 "LDAP back end supports id, auth, access and chpass providers. If you want to "
 4991 "authenticate against an LDAP server either TLS/SSL or LDAPS is "
 4992 "required. <command>sssd</command> <emphasis>does not</emphasis> support "
 4993 "authentication over an unencrypted channel.  If the LDAP server is used only "
 4994 "as an identity provider, an encrypted channel is not needed. Please refer to "
 4995 "<quote>ldap_access_filter</quote> config option for more information about "
 4996 "using LDAP as an access provider."
 4997 msgstr ""
 4998 
 4999 #. type: Content of: <reference><refentry><refsect1><title>
 5000 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
 5001 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:78
 5002 #: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:166
 5003 msgid "CONFIGURATION OPTIONS"
 5004 msgstr ""
 5005 
 5006 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5007 #: sssd-ldap.5.xml:66
 5008 msgid "ldap_uri, ldap_backup_uri (string)"
 5009 msgstr ""
 5010 
 5011 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5012 #: sssd-ldap.5.xml:69
 5013 msgid ""
 5014 "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
 5015 "should connect in the order of preference. Refer to the "
 5016 "<quote>FAILOVER</quote> section for more information on failover and server "
 5017 "redundancy.  If neither option is specified, service discovery is "
 5018 "enabled. For more information, refer to the <quote>SERVICE DISCOVERY</quote> "
 5019 "section."
 5020 msgstr ""
 5021 
 5022 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 5023 #: sssd-ldap.5.xml:76 sssd-secrets.5.xml:264
 5024 msgid "The format of the URI must match the format defined in RFC 2732:"
 5025 msgstr ""
 5026 
 5027 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5028 #: sssd-ldap.5.xml:79
 5029 msgid "ldap[s]://&lt;host&gt;[:port]"
 5030 msgstr ""
 5031 
 5032 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5033 #: sssd-ldap.5.xml:82
 5034 msgid "For explicit IPv6 addresses, &lt;host&gt; must be enclosed in brackets []"
 5035 msgstr ""
 5036 
 5037 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5038 #: sssd-ldap.5.xml:85
 5039 msgid "example: ldap://[fc00::126:25]:389"
 5040 msgstr ""
 5041 
 5042 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5043 #: sssd-ldap.5.xml:91
 5044 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)"
 5045 msgstr ""
 5046 
 5047 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5048 #: sssd-ldap.5.xml:94
 5049 msgid ""
 5050 "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
 5051 "should connect in the order of preference to change the password of a "
 5052 "user. Refer to the <quote>FAILOVER</quote> section for more information on "
 5053 "failover and server redundancy."
 5054 msgstr ""
 5055 
 5056 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5057 #: sssd-ldap.5.xml:101
 5058 msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
 5059 msgstr ""
 5060 
 5061 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5062 #: sssd-ldap.5.xml:105
 5063 msgid "Default: empty, i.e. ldap_uri is used."
 5064 msgstr ""
 5065 
 5066 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5067 #: sssd-ldap.5.xml:111
 5068 msgid "ldap_search_base (string)"
 5069 msgstr ""
 5070 
 5071 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5072 #: sssd-ldap.5.xml:114
 5073 msgid "The default base DN to use for performing LDAP user operations."
 5074 msgstr ""
 5075 
 5076 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5077 #: sssd-ldap.5.xml:118
 5078 msgid ""
 5079 "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the "
 5080 "syntax:"
 5081 msgstr ""
 5082 
 5083 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5084 #: sssd-ldap.5.xml:122
 5085 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]"
 5086 msgstr ""
 5087 
 5088 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5089 #: sssd-ldap.5.xml:125
 5090 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"."
 5091 msgstr ""
 5092 
 5093 #. type: Content of: <listitem><para>
 5094 #: sssd-ldap.5.xml:128 include/ldap_search_bases.xml:18
 5095 msgid ""
 5096 "The filter must be a valid LDAP search filter as specified by "
 5097 "http://www.ietf.org/rfc/rfc2254.txt"
 5098 msgstr ""
 5099 
 5100 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5101 #: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
 5102 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 5103 msgid "Examples:"
 5104 msgstr ""
 5105 
 5106 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5107 #: sssd-ldap.5.xml:135
 5108 msgid ""
 5109 "ldap_search_base = dc=example,dc=com (which is equivalent to)  "
 5110 "ldap_search_base = dc=example,dc=com?subtree?"
 5111 msgstr ""
 5112 
 5113 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5114 #: sssd-ldap.5.xml:140
 5115 msgid ""
 5116 "ldap_search_base = "
 5117 "cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?"
 5118 msgstr ""
 5119 
 5120 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5121 #: sssd-ldap.5.xml:143
 5122 msgid ""
 5123 "Note: It is unsupported to have multiple search bases which reference "
 5124 "identically-named objects (for example, groups with the same name in two "
 5125 "different search bases). This will lead to unpredictable behavior on client "
 5126 "machines."
 5127 msgstr ""
 5128 
 5129 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5130 #: sssd-ldap.5.xml:150
 5131 msgid ""
 5132 "Default: If not set, the value of the defaultNamingContext or namingContexts "
 5133 "attribute from the RootDSE of the LDAP server is used. If "
 5134 "defaultNamingContext does not exist or has an empty value namingContexts is "
 5135 "used.  The namingContexts attribute must have a single value with the DN of "
 5136 "the search base of the LDAP server to make this work. Multiple values are "
 5137 "are not supported."
 5138 msgstr ""
 5139 
 5140 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5141 #: sssd-ldap.5.xml:164
 5142 msgid "ldap_schema (string)"
 5143 msgstr ""
 5144 
 5145 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5146 #: sssd-ldap.5.xml:167
 5147 msgid ""
 5148 "Specifies the Schema Type in use on the target LDAP server.  Depending on "
 5149 "the selected schema, the default attribute names retrieved from the servers "
 5150 "may vary.  The way that some attributes are handled may also differ."
 5151 msgstr ""
 5152 
 5153 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5154 #: sssd-ldap.5.xml:174
 5155 msgid "Four schema types are currently supported:"
 5156 msgstr ""
 5157 
 5158 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 5159 #: sssd-ldap.5.xml:178
 5160 msgid "rfc2307"
 5161 msgstr ""
 5162 
 5163 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 5164 #: sssd-ldap.5.xml:183
 5165 msgid "rfc2307bis"
 5166 msgstr ""
 5167 
 5168 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 5169 #: sssd-ldap.5.xml:188
 5170 msgid "IPA"
 5171 msgstr ""
 5172 
 5173 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 5174 #: sssd-ldap.5.xml:193
 5175 msgid "AD"
 5176 msgstr ""
 5177 
 5178 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5179 #: sssd-ldap.5.xml:199
 5180 msgid ""
 5181 "The main difference between these schema types is how group memberships are "
 5182 "recorded in the server.  With rfc2307, group members are listed by name in "
 5183 "the <emphasis>memberUid</emphasis> attribute.  With rfc2307bis and IPA, "
 5184 "group members are listed by DN and stored in the <emphasis>member</emphasis> "
 5185 "attribute.  The AD schema type sets the attributes to correspond with Active "
 5186 "Directory 2008r2 values."
 5187 msgstr ""
 5188 
 5189 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5190 #: sssd-ldap.5.xml:209
 5191 msgid "Default: rfc2307"
 5192 msgstr ""
 5193 
 5194 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5195 #: sssd-ldap.5.xml:215
 5196 msgid "ldap_pwmodify_mode (string)"
 5197 msgstr ""
 5198 
 5199 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5200 #: sssd-ldap.5.xml:218
 5201 msgid "Specify the operation that is used to modify user password."
 5202 msgstr ""
 5203 
 5204 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5205 #: sssd-ldap.5.xml:222
 5206 msgid "Two modes are currently supported:"
 5207 msgstr ""
 5208 
 5209 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 5210 #: sssd-ldap.5.xml:226
 5211 msgid "exop - Password Modify Extended Operation (RFC 3062)"
 5212 msgstr ""
 5213 
 5214 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 5215 #: sssd-ldap.5.xml:232
 5216 msgid "ldap_modify - Direct modification of userPassword (not recommended)."
 5217 msgstr ""
 5218 
 5219 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5220 #: sssd-ldap.5.xml:239
 5221 msgid ""
 5222 "Note: First, a new connection is established to verify current password by "
 5223 "binding as the user that requested password change. If successful, this "
 5224 "connection is used to change the password therefore the user must have write "
 5225 "access to userPassword attribute."
 5226 msgstr ""
 5227 
 5228 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5229 #: sssd-ldap.5.xml:247
 5230 msgid "Default: exop"
 5231 msgstr ""
 5232 
 5233 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5234 #: sssd-ldap.5.xml:253
 5235 msgid "ldap_default_bind_dn (string)"
 5236 msgstr ""
 5237 
 5238 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5239 #: sssd-ldap.5.xml:256
 5240 msgid "The default bind DN to use for performing LDAP operations."
 5241 msgstr ""
 5242 
 5243 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5244 #: sssd-ldap.5.xml:263
 5245 msgid "ldap_default_authtok_type (string)"
 5246 msgstr ""
 5247 
 5248 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5249 #: sssd-ldap.5.xml:266
 5250 msgid "The type of the authentication token of the default bind DN."
 5251 msgstr ""
 5252 
 5253 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5254 #: sssd-ldap.5.xml:270
 5255 msgid "The two mechanisms currently supported are:"
 5256 msgstr ""
 5257 
 5258 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5259 #: sssd-ldap.5.xml:273
 5260 msgid "password"
 5261 msgstr ""
 5262 
 5263 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5264 #: sssd-ldap.5.xml:276
 5265 msgid "obfuscated_password"
 5266 msgstr ""
 5267 
 5268 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5269 #: sssd-ldap.5.xml:279
 5270 msgid "Default: password"
 5271 msgstr ""
 5272 
 5273 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5274 #: sssd-ldap.5.xml:282
 5275 msgid ""
 5276 "See the <citerefentry> <refentrytitle>sss_obfuscate</refentrytitle> "
 5277 "<manvolnum>8</manvolnum> </citerefentry> manual page for more information."
 5278 msgstr ""
 5279 
 5280 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5281 #: sssd-ldap.5.xml:293
 5282 msgid "ldap_default_authtok (string)"
 5283 msgstr ""
 5284 
 5285 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5286 #: sssd-ldap.5.xml:296
 5287 msgid "The authentication token of the default bind DN."
 5288 msgstr ""
 5289 
 5290 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5291 #: sssd-ldap.5.xml:302
 5292 msgid "ldap_force_upper_case_realm (boolean)"
 5293 msgstr ""
 5294 
 5295 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5296 #: sssd-ldap.5.xml:305
 5297 msgid ""
 5298 "Some directory servers, for example Active Directory, might deliver the "
 5299 "realm part of the UPN in lower case, which might cause the authentication to "
 5300 "fail. Set this option to a non-zero value if you want to use an upper-case "
 5301 "realm."
 5302 msgstr ""
 5303 
 5304 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5305 #: sssd-ldap.5.xml:318
 5306 msgid "ldap_enumeration_refresh_timeout (integer)"
 5307 msgstr ""
 5308 
 5309 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5310 #: sssd-ldap.5.xml:321
 5311 msgid ""
 5312 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 5313 "enumerated records."
 5314 msgstr ""
 5315 
 5316 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5317 #: sssd-ldap.5.xml:332
 5318 msgid "ldap_purge_cache_timeout (integer)"
 5319 msgstr ""
 5320 
 5321 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5322 #: sssd-ldap.5.xml:335
 5323 msgid ""
 5324 "Determine how often to check the cache for inactive entries (such as groups "
 5325 "with no members and users who have never logged in) and remove them to save "
 5326 "space."
 5327 msgstr ""
 5328 
 5329 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5330 #: sssd-ldap.5.xml:341
 5331 msgid ""
 5332 "Setting this option to zero will disable the cache cleanup operation. Please "
 5333 "note that if enumeration is enabled, the cleanup task is required in order "
 5334 "to detect entries removed from the server and can't be disabled. By default, "
 5335 "the cleanup task will run every 3 hours with enumeration enabled."
 5336 msgstr ""
 5337 
 5338 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5339 #: sssd-ldap.5.xml:356
 5340 msgid "ldap_group_nesting_level (integer)"
 5341 msgstr ""
 5342 
 5343 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5344 #: sssd-ldap.5.xml:359
 5345 msgid ""
 5346 "If ldap_schema is set to a schema format that supports nested groups "
 5347 "(e.g. RFC2307bis), then this option controls how many levels of nesting SSSD "
 5348 "will follow. This option has no effect on the RFC2307 schema."
 5349 msgstr ""
 5350 
 5351 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5352 #: sssd-ldap.5.xml:366
 5353 msgid ""
 5354 "Note: This option specifies the guaranteed level of nested groups to be "
 5355 "processed for any lookup. However, nested groups beyond this limit "
 5356 "<emphasis>may be</emphasis> returned if previous lookups already resolved "
 5357 "the deeper nesting levels.  Also, subsequent lookups for other groups may "
 5358 "enlarge the result set for original lookup if re-queried."
 5359 msgstr ""
 5360 
 5361 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5362 #: sssd-ldap.5.xml:375
 5363 msgid ""
 5364 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 5365 "at all. However, when connected to Active-Directory Server 2008 and later "
 5366 "using <quote>id_provider=ad</quote> it is furthermore required to disable "
 5367 "usage of Token-Groups by setting ldap_use_tokengroups to false in order to "
 5368 "restrict group nesting."
 5369 msgstr ""
 5370 
 5371 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5372 #: sssd-ldap.5.xml:384
 5373 msgid "Default: 2"
 5374 msgstr ""
 5375 
 5376 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5377 #: sssd-ldap.5.xml:393
 5378 msgid ""
 5379 "This options enables or disables use of Token-Groups attribute when "
 5380 "performing initgroup for users from Active Directory Server 2008 and later."
 5381 msgstr ""
 5382 
 5383 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5384 #: sssd-ldap.5.xml:398
 5385 msgid "Default: True for AD and IPA otherwise False."
 5386 msgstr ""
 5387 
 5388 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5389 #: sssd-ldap.5.xml:404
 5390 msgid "ldap_host_search_base (string)"
 5391 msgstr ""
 5392 
 5393 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5394 #: sssd-ldap.5.xml:407
 5395 msgid "Optional. Use the given string as search base for host objects."
 5396 msgstr ""
 5397 
 5398 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5399 #: sssd-ldap.5.xml:411 sssd-ipa.5.xml:389 sssd-ipa.5.xml:408 sssd-ipa.5.xml:427
 5400 #: sssd-ipa.5.xml:446
 5401 msgid ""
 5402 "See <quote>ldap_search_base</quote> for information about configuring "
 5403 "multiple search bases."
 5404 msgstr ""
 5405 
 5406 #. type: Content of: <listitem><para>
 5407 #: sssd-ldap.5.xml:416 sssd-ipa.5.xml:394 include/ldap_search_bases.xml:27
 5408 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 5409 msgstr ""
 5410 
 5411 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5412 #: sssd-ldap.5.xml:423
 5413 msgid "ldap_service_search_base (string)"
 5414 msgstr ""
 5415 
 5416 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5417 #: sssd-ldap.5.xml:428
 5418 msgid "ldap_iphost_search_base (string)"
 5419 msgstr ""
 5420 
 5421 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5422 #: sssd-ldap.5.xml:433
 5423 msgid "ldap_ipnetwork_search_base (string)"
 5424 msgstr ""
 5425 
 5426 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5427 #: sssd-ldap.5.xml:438
 5428 msgid "ldap_search_timeout (integer)"
 5429 msgstr ""
 5430 
 5431 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5432 #: sssd-ldap.5.xml:441
 5433 msgid ""
 5434 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 5435 "before they are cancelled and cached results are returned (and offline mode "
 5436 "is entered)"
 5437 msgstr ""
 5438 
 5439 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5440 #: sssd-ldap.5.xml:447
 5441 msgid ""
 5442 "Note: this option is subject to change in future versions of the SSSD. It "
 5443 "will likely be replaced at some point by a series of timeouts for specific "
 5444 "lookup types."
 5445 msgstr ""
 5446 
 5447 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5448 #: sssd-ldap.5.xml:459
 5449 msgid "ldap_enumeration_search_timeout (integer)"
 5450 msgstr ""
 5451 
 5452 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5453 #: sssd-ldap.5.xml:462
 5454 msgid ""
 5455 "Specifies the timeout (in seconds) that ldap searches for user and group "
 5456 "enumerations are allowed to run before they are cancelled and cached results "
 5457 "are returned (and offline mode is entered)"
 5458 msgstr ""
 5459 
 5460 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5461 #: sssd-ldap.5.xml:475
 5462 msgid "ldap_network_timeout (integer)"
 5463 msgstr ""
 5464 
 5465 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5466 #: sssd-ldap.5.xml:478
 5467 msgid ""
 5468 "Specifies the timeout (in seconds) after which the <citerefentry> "
 5469 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> "
 5470 "</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> "
 5471 "<manvolnum>2</manvolnum> </citerefentry> following a <citerefentry> "
 5472 "<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> "
 5473 "</citerefentry> returns in case of no activity."
 5474 msgstr ""
 5475 
 5476 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5477 #: sssd-ldap.5.xml:501
 5478 msgid "ldap_opt_timeout (integer)"
 5479 msgstr ""
 5480 
 5481 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5482 #: sssd-ldap.5.xml:504
 5483 msgid ""
 5484 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 5485 "will abort if no response is received. Also controls the timeout when "
 5486 "communicating with the KDC in case of SASL bind, the timeout of an LDAP bind "
 5487 "operation, password change extended operation and the StartTLS operation."
 5488 msgstr ""
 5489 
 5490 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5491 #: sssd-ldap.5.xml:519
 5492 msgid "ldap_connection_expire_timeout (integer)"
 5493 msgstr ""
 5494 
 5495 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5496 #: sssd-ldap.5.xml:522
 5497 msgid ""
 5498 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 5499 "maintained. After this time, the connection will be re-established. If used "
 5500 "in parallel with SASL/GSSAPI, the sooner of the two values (this value "
 5501 "vs. the TGT lifetime)  will be used."
 5502 msgstr ""
 5503 
 5504 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5505 #: sssd-ldap.5.xml:530
 5506 msgid ""
 5507 "This timeout can be extended of a random value specified by "
 5508 "<emphasis>ldap_connection_expire_offset</emphasis>"
 5509 msgstr ""
 5510 
 5511 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5512 #: sssd-ldap.5.xml:535 sssd-ldap.5.xml:1565
 5513 msgid "Default: 900 (15 minutes)"
 5514 msgstr ""
 5515 
 5516 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5517 #: sssd-ldap.5.xml:541
 5518 msgid "ldap_connection_expire_offset (integer)"
 5519 msgstr ""
 5520 
 5521 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5522 #: sssd-ldap.5.xml:544
 5523 msgid ""
 5524 "Random offset between 0 and configured value is added to "
 5525 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 5526 msgstr ""
 5527 
 5528 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5529 #: sssd-ldap.5.xml:555
 5530 msgid "ldap_page_size (integer)"
 5531 msgstr ""
 5532 
 5533 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5534 #: sssd-ldap.5.xml:558
 5535 msgid ""
 5536 "Specify the number of records to retrieve from LDAP in a single "
 5537 "request. Some LDAP servers enforce a maximum limit per-request."
 5538 msgstr ""
 5539 
 5540 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 5541 #: sssd-ldap.5.xml:563 include/failover.xml:84
 5542 msgid "Default: 1000"
 5543 msgstr ""
 5544 
 5545 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5546 #: sssd-ldap.5.xml:569
 5547 msgid "ldap_disable_paging (boolean)"
 5548 msgstr ""
 5549 
 5550 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5551 #: sssd-ldap.5.xml:572
 5552 msgid ""
 5553 "Disable the LDAP paging control. This option should be used if the LDAP "
 5554 "server reports that it supports the LDAP paging control in its RootDSE but "
 5555 "it is not enabled or does not behave properly."
 5556 msgstr ""
 5557 
 5558 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5559 #: sssd-ldap.5.xml:578
 5560 msgid ""
 5561 "Example: OpenLDAP servers with the paging control module installed on the "
 5562 "server but not enabled will report it in the RootDSE but be unable to use "
 5563 "it."
 5564 msgstr ""
 5565 
 5566 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5567 #: sssd-ldap.5.xml:584
 5568 msgid ""
 5569 "Example: 389 DS has a bug where it can only support a one paging control at "
 5570 "a time on a single connection. On busy clients, this can result in some "
 5571 "requests being denied."
 5572 msgstr ""
 5573 
 5574 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5575 #: sssd-ldap.5.xml:596
 5576 msgid "ldap_disable_range_retrieval (boolean)"
 5577 msgstr ""
 5578 
 5579 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5580 #: sssd-ldap.5.xml:599
 5581 msgid "Disable Active Directory range retrieval."
 5582 msgstr ""
 5583 
 5584 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5585 #: sssd-ldap.5.xml:602
 5586 msgid ""
 5587 "Active Directory limits the number of members to be retrieved in a single "
 5588 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
 5589 "group contains more members, the reply would include an AD-specific range "
 5590 "extension. This option disables parsing of the range extension, therefore "
 5591 "large groups will appear as having no members."
 5592 msgstr ""
 5593 
 5594 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5595 #: sssd-ldap.5.xml:617
 5596 msgid "ldap_sasl_minssf (integer)"
 5597 msgstr ""
 5598 
 5599 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5600 #: sssd-ldap.5.xml:620
 5601 msgid ""
 5602 "When communicating with an LDAP server using SASL, specify the minimum "
 5603 "security level necessary to establish the connection. The values of this "
 5604 "option are defined by OpenLDAP."
 5605 msgstr ""
 5606 
 5607 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5608 #: sssd-ldap.5.xml:626 sssd-ldap.5.xml:642
 5609 msgid "Default: Use the system default (usually specified by ldap.conf)"
 5610 msgstr ""
 5611 
 5612 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5613 #: sssd-ldap.5.xml:633
 5614 msgid "ldap_sasl_maxssf (integer)"
 5615 msgstr ""
 5616 
 5617 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5618 #: sssd-ldap.5.xml:636
 5619 msgid ""
 5620 "When communicating with an LDAP server using SASL, specify the maximal "
 5621 "security level necessary to establish the connection. The values of this "
 5622 "option are defined by OpenLDAP."
 5623 msgstr ""
 5624 
 5625 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5626 #: sssd-ldap.5.xml:649
 5627 msgid "ldap_deref_threshold (integer)"
 5628 msgstr ""
 5629 
 5630 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5631 #: sssd-ldap.5.xml:652
 5632 msgid ""
 5633 "Specify the number of group members that must be missing from the internal "
 5634 "cache in order to trigger a dereference lookup. If less members are missing, "
 5635 "they are looked up individually."
 5636 msgstr ""
 5637 
 5638 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5639 #: sssd-ldap.5.xml:658
 5640 msgid ""
 5641 "You can turn off dereference lookups completely by setting the value to "
 5642 "0. Please note that there are some codepaths in SSSD, like the IPA HBAC "
 5643 "provider, that are only implemented using the dereference call, so even with "
 5644 "dereference explicitly disabled, those parts will still use dereference if "
 5645 "the server supports it and advertises the dereference control in the rootDSE "
 5646 "object."
 5647 msgstr ""
 5648 
 5649 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5650 #: sssd-ldap.5.xml:669
 5651 msgid ""
 5652 "A dereference lookup is a means of fetching all group members in a single "
 5653 "LDAP call.  Different LDAP servers may implement different dereference "
 5654 "methods. The currently supported servers are 389/RHDS, OpenLDAP and Active "
 5655 "Directory."
 5656 msgstr ""
 5657 
 5658 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5659 #: sssd-ldap.5.xml:677
 5660 msgid ""
 5661 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 5662 "filter, then the dereference lookup performance enhancement will be disabled "
 5663 "regardless of this setting."
 5664 msgstr ""
 5665 
 5666 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5667 #: sssd-ldap.5.xml:690
 5668 msgid "ldap_tls_reqcert (string)"
 5669 msgstr ""
 5670 
 5671 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5672 #: sssd-ldap.5.xml:693
 5673 msgid ""
 5674 "Specifies what checks to perform on server certificates in a TLS session, if "
 5675 "any. It can be specified as one of the following values:"
 5676 msgstr ""
 5677 
 5678 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5679 #: sssd-ldap.5.xml:699
 5680 msgid ""
 5681 "<emphasis>never</emphasis> = The client will not request or check any server "
 5682 "certificate."
 5683 msgstr ""
 5684 
 5685 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5686 #: sssd-ldap.5.xml:703
 5687 msgid ""
 5688 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 5689 "certificate is provided, the session proceeds normally. If a bad certificate "
 5690 "is provided, it will be ignored and the session proceeds normally."
 5691 msgstr ""
 5692 
 5693 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5694 #: sssd-ldap.5.xml:710
 5695 msgid ""
 5696 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 5697 "certificate is provided, the session proceeds normally. If a bad certificate "
 5698 "is provided, the session is immediately terminated."
 5699 msgstr ""
 5700 
 5701 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5702 #: sssd-ldap.5.xml:716
 5703 msgid ""
 5704 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 5705 "certificate is provided, or a bad certificate is provided, the session is "
 5706 "immediately terminated."
 5707 msgstr ""
 5708 
 5709 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5710 #: sssd-ldap.5.xml:722
 5711 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 5712 msgstr ""
 5713 
 5714 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5715 #: sssd-ldap.5.xml:726
 5716 msgid "Default: hard"
 5717 msgstr ""
 5718 
 5719 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5720 #: sssd-ldap.5.xml:732
 5721 msgid "ldap_tls_cacert (string)"
 5722 msgstr ""
 5723 
 5724 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5725 #: sssd-ldap.5.xml:735
 5726 msgid ""
 5727 "Specifies the file that contains certificates for all of the Certificate "
 5728 "Authorities that <command>sssd</command> will recognize."
 5729 msgstr ""
 5730 
 5731 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5732 #: sssd-ldap.5.xml:740 sssd-ldap.5.xml:758 sssd-ldap.5.xml:799
 5733 msgid ""
 5734 "Default: use OpenLDAP defaults, typically in "
 5735 "<filename>/etc/openldap/ldap.conf</filename>"
 5736 msgstr ""
 5737 
 5738 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5739 #: sssd-ldap.5.xml:747
 5740 msgid "ldap_tls_cacertdir (string)"
 5741 msgstr ""
 5742 
 5743 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5744 #: sssd-ldap.5.xml:750
 5745 msgid ""
 5746 "Specifies the path of a directory that contains Certificate Authority "
 5747 "certificates in separate individual files. Typically the file names need to "
 5748 "be the hash of the certificate followed by '.0'.  If available, "
 5749 "<command>cacertdir_rehash</command> can be used to create the correct names."
 5750 msgstr ""
 5751 
 5752 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5753 #: sssd-ldap.5.xml:765
 5754 msgid "ldap_tls_cert (string)"
 5755 msgstr ""
 5756 
 5757 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5758 #: sssd-ldap.5.xml:768
 5759 msgid "Specifies the file that contains the certificate for the client's key."
 5760 msgstr ""
 5761 
 5762 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5763 #: sssd-ldap.5.xml:778
 5764 msgid "ldap_tls_key (string)"
 5765 msgstr ""
 5766 
 5767 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5768 #: sssd-ldap.5.xml:781
 5769 msgid "Specifies the file that contains the client's key."
 5770 msgstr ""
 5771 
 5772 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5773 #: sssd-ldap.5.xml:790
 5774 msgid "ldap_tls_cipher_suite (string)"
 5775 msgstr ""
 5776 
 5777 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5778 #: sssd-ldap.5.xml:793
 5779 msgid ""
 5780 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 5781 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
 5782 "<manvolnum>5</manvolnum></citerefentry> for format."
 5783 msgstr ""
 5784 
 5785 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5786 #: sssd-ldap.5.xml:806
 5787 msgid "ldap_id_use_start_tls (boolean)"
 5788 msgstr ""
 5789 
 5790 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5791 #: sssd-ldap.5.xml:809
 5792 msgid ""
 5793 "Specifies that the id_provider connection must also use <systemitem "
 5794 "class=\"protocol\">tls</systemitem> to protect the channel."
 5795 msgstr ""
 5796 
 5797 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5798 #: sssd-ldap.5.xml:819
 5799 msgid "ldap_id_mapping (boolean)"
 5800 msgstr ""
 5801 
 5802 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5803 #: sssd-ldap.5.xml:822
 5804 msgid ""
 5805 "Specifies that SSSD should attempt to map user and group IDs from the "
 5806 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
 5807 "on ldap_user_uid_number and ldap_group_gid_number."
 5808 msgstr ""
 5809 
 5810 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5811 #: sssd-ldap.5.xml:828
 5812 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 5813 msgstr ""
 5814 
 5815 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5816 #: sssd-ldap.5.xml:838
 5817 msgid "ldap_min_id, ldap_max_id (integer)"
 5818 msgstr ""
 5819 
 5820 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5821 #: sssd-ldap.5.xml:841
 5822 msgid ""
 5823 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 5824 "set to true the allowed ID range for ldap_user_uid_number and "
 5825 "ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this "
 5826 "might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id "
 5827 "can be set to restrict the allowed range for the IDs which are read directly "
 5828 "from the server. Sub-domains can then pick other ranges to map IDs."
 5829 msgstr ""
 5830 
 5831 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5832 #: sssd-ldap.5.xml:853
 5833 msgid "Default: not set (both options are set to 0)"
 5834 msgstr ""
 5835 
 5836 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5837 #: sssd-ldap.5.xml:859
 5838 msgid "ldap_sasl_mech (string)"
 5839 msgstr ""
 5840 
 5841 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5842 #: sssd-ldap.5.xml:862
 5843 msgid ""
 5844 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 5845 "tested and supported."
 5846 msgstr ""
 5847 
 5848 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5849 #: sssd-ldap.5.xml:866
 5850 msgid ""
 5851 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 5852 "automatically inherited to the sub-domains. If a different value is needed "
 5853 "for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
 5854 "sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
 5855 "<citerefentry><refentrytitle>sssd.conf</refentrytitle> "
 5856 "<manvolnum>5</manvolnum></citerefentry> for details."
 5857 msgstr ""
 5858 
 5859 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5860 #: sssd-ldap.5.xml:882
 5861 msgid "ldap_sasl_authid (string)"
 5862 msgstr ""
 5863 
 5864 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
 5865 #: sssd-ldap.5.xml:894
 5866 #, no-wrap
 5867 msgid ""
 5868 "hostname@REALM\n"
 5869 "netbiosname$@REALM\n"
 5870 "host/hostname@REALM\n"
 5871 "*$@REALM\n"
 5872 "host/*@REALM\n"
 5873 "host/*\n"
 5874 "                            "
 5875 msgstr ""
 5876 
 5877 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5878 #: sssd-ldap.5.xml:885
 5879 msgid ""
 5880 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 5881 "this represents the Kerberos principal used for authentication to the "
 5882 "directory.  This option can either contain the full principal (for example "
 5883 "host/myhost@EXAMPLE.COM) or just the principal name (for example "
 5884 "host/myhost).  By default, the value is not set and the following principals "
 5885 "are used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them "
 5886 "are found, the first principal in keytab is returned."
 5887 msgstr ""
 5888 
 5889 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5890 #: sssd-ldap.5.xml:905
 5891 msgid "Default: host/hostname@REALM"
 5892 msgstr ""
 5893 
 5894 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5895 #: sssd-ldap.5.xml:911
 5896 msgid "ldap_sasl_realm (string)"
 5897 msgstr ""
 5898 
 5899 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5900 #: sssd-ldap.5.xml:914
 5901 msgid ""
 5902 "Specify the SASL realm to use. When not specified, this option defaults to "
 5903 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
 5904 "well, this option is ignored."
 5905 msgstr ""
 5906 
 5907 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5908 #: sssd-ldap.5.xml:920
 5909 msgid "Default: the value of krb5_realm."
 5910 msgstr ""
 5911 
 5912 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5913 #: sssd-ldap.5.xml:926
 5914 msgid "ldap_sasl_canonicalize (boolean)"
 5915 msgstr ""
 5916 
 5917 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5918 #: sssd-ldap.5.xml:929
 5919 msgid ""
 5920 "If set to true, the LDAP library would perform a reverse lookup to "
 5921 "canonicalize the host name during a SASL bind."
 5922 msgstr ""
 5923 
 5924 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5925 #: sssd-ldap.5.xml:934
 5926 msgid "Default: false;"
 5927 msgstr ""
 5928 
 5929 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5930 #: sssd-ldap.5.xml:940
 5931 msgid "ldap_krb5_keytab (string)"
 5932 msgstr ""
 5933 
 5934 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5935 #: sssd-ldap.5.xml:943
 5936 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 5937 msgstr ""
 5938 
 5939 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5940 #: sssd-ldap.5.xml:947
 5941 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 5942 msgstr ""
 5943 
 5944 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5945 #: sssd-ldap.5.xml:953
 5946 msgid "ldap_krb5_init_creds (boolean)"
 5947 msgstr ""
 5948 
 5949 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5950 #: sssd-ldap.5.xml:956
 5951 msgid ""
 5952 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 5953 "action is performed only if SASL is used and the mechanism selected is "
 5954 "GSSAPI or GSS-SPNEGO."
 5955 msgstr ""
 5956 
 5957 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5958 #: sssd-ldap.5.xml:968
 5959 msgid "ldap_krb5_ticket_lifetime (integer)"
 5960 msgstr ""
 5961 
 5962 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5963 #: sssd-ldap.5.xml:971
 5964 msgid ""
 5965 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is "
 5966 "used."
 5967 msgstr ""
 5968 
 5969 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5970 #: sssd-ldap.5.xml:975 sssd-ad.5.xml:1229
 5971 msgid "Default: 86400 (24 hours)"
 5972 msgstr ""
 5973 
 5974 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 5975 #: sssd-ldap.5.xml:981 sssd-krb5.5.xml:74
 5976 msgid "krb5_server, krb5_backup_server (string)"
 5977 msgstr ""
 5978 
 5979 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5980 #: sssd-ldap.5.xml:984
 5981 msgid ""
 5982 "Specifies the comma-separated list of IP addresses or hostnames of the "
 5983 "Kerberos servers to which SSSD should connect in the order of "
 5984 "preference. For more information on failover and server redundancy, see the "
 5985 "<quote>FAILOVER</quote> section. An optional port number (preceded by a "
 5986 "colon) may be appended to the addresses or hostnames.  If empty, service "
 5987 "discovery is enabled - for more information, refer to the <quote>SERVICE "
 5988 "DISCOVERY</quote> section."
 5989 msgstr ""
 5990 
 5991 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 5992 #: sssd-ldap.5.xml:996 sssd-krb5.5.xml:89
 5993 msgid ""
 5994 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 5995 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
 5996 "none are found."
 5997 msgstr ""
 5998 
 5999 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6000 #: sssd-ldap.5.xml:1001 sssd-krb5.5.xml:94
 6001 msgid ""
 6002 "This option was named <quote>krb5_kdcip</quote> in earlier releases of "
 6003 "SSSD. While the legacy name is recognized for the time being, users are "
 6004 "advised to migrate their config files to use <quote>krb5_server</quote> "
 6005 "instead."
 6006 msgstr ""
 6007 
 6008 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6009 #: sssd-ldap.5.xml:1010 sssd-ipa.5.xml:458 sssd-krb5.5.xml:103
 6010 msgid "krb5_realm (string)"
 6011 msgstr ""
 6012 
 6013 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6014 #: sssd-ldap.5.xml:1013
 6015 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 6016 msgstr ""
 6017 
 6018 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6019 #: sssd-ldap.5.xml:1017
 6020 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 6021 msgstr ""
 6022 
 6023 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6024 #: sssd-ldap.5.xml:1023 sssd-krb5.5.xml:462
 6025 msgid "krb5_canonicalize (boolean)"
 6026 msgstr ""
 6027 
 6028 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6029 #: sssd-ldap.5.xml:1026
 6030 msgid ""
 6031 "Specifies if the host principal should be canonicalized when connecting to "
 6032 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 6033 msgstr ""
 6034 
 6035 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6036 #: sssd-ldap.5.xml:1038 sssd-krb5.5.xml:477
 6037 msgid "krb5_use_kdcinfo (boolean)"
 6038 msgstr ""
 6039 
 6040 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6041 #: sssd-ldap.5.xml:1041 sssd-krb5.5.xml:480
 6042 msgid ""
 6043 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 6044 "which KDCs to use. This option is on by default, if you disable it, you need "
 6045 "to configure the Kerberos library using the <citerefentry> "
 6046 "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> "
 6047 "</citerefentry> configuration file."
 6048 msgstr ""
 6049 
 6050 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6051 #: sssd-ldap.5.xml:1052 sssd-krb5.5.xml:491
 6052 msgid ""
 6053 "See the <citerefentry> "
 6054 "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
 6055 "<manvolnum>8</manvolnum> </citerefentry> manual page for more information on "
 6056 "the locator plugin."
 6057 msgstr ""
 6058 
 6059 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6060 #: sssd-ldap.5.xml:1066
 6061 msgid "ldap_pwd_policy (string)"
 6062 msgstr ""
 6063 
 6064 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6065 #: sssd-ldap.5.xml:1069
 6066 msgid ""
 6067 "Select the policy to evaluate the password expiration on the client "
 6068 "side. The following values are allowed:"
 6069 msgstr ""
 6070 
 6071 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6072 #: sssd-ldap.5.xml:1074
 6073 msgid ""
 6074 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 6075 "cannot disable server-side password policies."
 6076 msgstr ""
 6077 
 6078 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6079 #: sssd-ldap.5.xml:1079
 6080 msgid ""
 6081 "<emphasis>shadow</emphasis> - Use "
 6082 "<citerefentry><refentrytitle>shadow</refentrytitle> "
 6083 "<manvolnum>5</manvolnum></citerefentry> style attributes to evaluate if the "
 6084 "password has expired."
 6085 msgstr ""
 6086 
 6087 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6088 #: sssd-ldap.5.xml:1085
 6089 msgid ""
 6090 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 6091 "to determine if the password has expired. Use chpass_provider=krb5 to update "
 6092 "these attributes when the password is changed."
 6093 msgstr ""
 6094 
 6095 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6096 #: sssd-ldap.5.xml:1094
 6097 msgid ""
 6098 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 6099 "side, it always takes precedence over policy set with this option."
 6100 msgstr ""
 6101 
 6102 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6103 #: sssd-ldap.5.xml:1102
 6104 msgid "ldap_referrals (boolean)"
 6105 msgstr ""
 6106 
 6107 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6108 #: sssd-ldap.5.xml:1105
 6109 msgid "Specifies whether automatic referral chasing should be enabled."
 6110 msgstr ""
 6111 
 6112 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6113 #: sssd-ldap.5.xml:1109
 6114 msgid ""
 6115 "Please note that sssd only supports referral chasing when it is compiled "
 6116 "with OpenLDAP version 2.4.13 or higher."
 6117 msgstr ""
 6118 
 6119 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6120 #: sssd-ldap.5.xml:1114
 6121 msgid ""
 6122 "Chasing referrals may incur a performance penalty in environments that use "
 6123 "them heavily, a notable example is Microsoft Active Directory. If your setup "
 6124 "does not in fact require the use of referrals, setting this option to false "
 6125 "might bring a noticeable performance improvement.  Setting this option to "
 6126 "false is therefore recommended in case the SSSD LDAP provider is used "
 6127 "together with Microsoft Active Directory as a backend. Even if SSSD would be "
 6128 "able to follow the referral to a different AD DC no additional data would be "
 6129 "available."
 6130 msgstr ""
 6131 
 6132 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6133 #: sssd-ldap.5.xml:1133
 6134 msgid "ldap_dns_service_name (string)"
 6135 msgstr ""
 6136 
 6137 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6138 #: sssd-ldap.5.xml:1136
 6139 msgid "Specifies the service name to use when service discovery is enabled."
 6140 msgstr ""
 6141 
 6142 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6143 #: sssd-ldap.5.xml:1140
 6144 msgid "Default: ldap"
 6145 msgstr ""
 6146 
 6147 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6148 #: sssd-ldap.5.xml:1146
 6149 msgid "ldap_chpass_dns_service_name (string)"
 6150 msgstr ""
 6151 
 6152 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6153 #: sssd-ldap.5.xml:1149
 6154 msgid ""
 6155 "Specifies the service name to use to find an LDAP server which allows "
 6156 "password changes when service discovery is enabled."
 6157 msgstr ""
 6158 
 6159 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6160 #: sssd-ldap.5.xml:1154
 6161 msgid "Default: not set, i.e. service discovery is disabled"
 6162 msgstr ""
 6163 
 6164 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6165 #: sssd-ldap.5.xml:1160
 6166 msgid "ldap_chpass_update_last_change (bool)"
 6167 msgstr ""
 6168 
 6169 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6170 #: sssd-ldap.5.xml:1163
 6171 msgid ""
 6172 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 6173 "days since the Epoch after a password change operation."
 6174 msgstr ""
 6175 
 6176 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6177 #: sssd-ldap.5.xml:1175
 6178 msgid "ldap_access_filter (string)"
 6179 msgstr ""
 6180 
 6181 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6182 #: sssd-ldap.5.xml:1178
 6183 msgid ""
 6184 "If using access_provider = ldap and ldap_access_order = filter (default), "
 6185 "this option is mandatory. It specifies an LDAP search filter criteria that "
 6186 "must be met for the user to be granted access on this host. If "
 6187 "access_provider = ldap, ldap_access_order = filter and this option is not "
 6188 "set, it will result in all users being denied access.  Use access_provider = "
 6189 "permit to change this default behavior. Please note that this filter is "
 6190 "applied on the LDAP user entry only and thus filtering based on nested "
 6191 "groups may not work (e.g. memberOf attribute on AD entries points only to "
 6192 "direct parents). If filtering based on nested groups is required, please see "
 6193 "<citerefentry> "
 6194 "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> "
 6195 "</citerefentry>."
 6196 msgstr ""
 6197 
 6198 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6199 #: sssd-ldap.5.xml:1198
 6200 msgid "Example:"
 6201 msgstr ""
 6202 
 6203 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
 6204 #: sssd-ldap.5.xml:1201
 6205 #, no-wrap
 6206 msgid ""
 6207 "access_provider = ldap\n"
 6208 "ldap_access_filter = (employeeType=admin)\n"
 6209 "                        "
 6210 msgstr ""
 6211 
 6212 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6213 #: sssd-ldap.5.xml:1205
 6214 msgid ""
 6215 "This example means that access to this host is restricted to users whose "
 6216 "employeeType attribute is set to \"admin\"."
 6217 msgstr ""
 6218 
 6219 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6220 #: sssd-ldap.5.xml:1210
 6221 msgid ""
 6222 "Offline caching for this feature is limited to determining whether the "
 6223 "user's last online login was granted access permission. If they were granted "
 6224 "access during their last login, they will continue to be granted access "
 6225 "while offline and vice versa."
 6226 msgstr ""
 6227 
 6228 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6229 #: sssd-ldap.5.xml:1218 sssd-ldap.5.xml:1275
 6230 msgid "Default: Empty"
 6231 msgstr ""
 6232 
 6233 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6234 #: sssd-ldap.5.xml:1224
 6235 msgid "ldap_account_expire_policy (string)"
 6236 msgstr ""
 6237 
 6238 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6239 #: sssd-ldap.5.xml:1227
 6240 msgid ""
 6241 "With this option a client side evaluation of access control attributes can "
 6242 "be enabled."
 6243 msgstr ""
 6244 
 6245 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6246 #: sssd-ldap.5.xml:1231
 6247 msgid ""
 6248 "Please note that it is always recommended to use server side access control, "
 6249 "i.e. the LDAP server should deny the bind request with a suitable error code "
 6250 "even if the password is correct."
 6251 msgstr ""
 6252 
 6253 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6254 #: sssd-ldap.5.xml:1238
 6255 msgid "The following values are allowed:"
 6256 msgstr ""
 6257 
 6258 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6259 #: sssd-ldap.5.xml:1241
 6260 msgid ""
 6261 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 6262 "determine if the account is expired."
 6263 msgstr ""
 6264 
 6265 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6266 #: sssd-ldap.5.xml:1246
 6267 msgid ""
 6268 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 6269 "ldap_user_ad_user_account_control and allow access if the second bit is not "
 6270 "set. If the attribute is missing access is granted. Also the expiration time "
 6271 "of the account is checked."
 6272 msgstr ""
 6273 
 6274 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6275 #: sssd-ldap.5.xml:1253
 6276 msgid ""
 6277 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, "
 6278 "<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check "
 6279 "if access is allowed or not."
 6280 msgstr ""
 6281 
 6282 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6283 #: sssd-ldap.5.xml:1259
 6284 msgid ""
 6285 "<emphasis>nds</emphasis>: the values of "
 6286 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
 6287 "ldap_user_nds_login_expiration_time are used to check if access is "
 6288 "allowed. If both attributes are missing access is granted."
 6289 msgstr ""
 6290 
 6291 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6292 #: sssd-ldap.5.xml:1268
 6293 msgid ""
 6294 "Please note that the ldap_access_order configuration option "
 6295 "<emphasis>must</emphasis> include <quote>expire</quote> in order for the "
 6296 "ldap_account_expire_policy option to work."
 6297 msgstr ""
 6298 
 6299 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6300 #: sssd-ldap.5.xml:1281
 6301 msgid "ldap_access_order (string)"
 6302 msgstr ""
 6303 
 6304 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6305 #: sssd-ldap.5.xml:1284
 6306 msgid "Comma separated list of access control options.  Allowed values are:"
 6307 msgstr ""
 6308 
 6309 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6310 #: sssd-ldap.5.xml:1288
 6311 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 6312 msgstr ""
 6313 
 6314 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6315 #: sssd-ldap.5.xml:1291
 6316 msgid ""
 6317 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 6318 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
 6319 "and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn.  "
 6320 "Please note that 'access_provider = ldap' must be set for this feature to "
 6321 "work."
 6322 msgstr ""
 6323 
 6324 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6325 #: sssd-ldap.5.xml:1301
 6326 msgid ""
 6327 "<emphasis> Please note that this option is superseded by the "
 6328 "<quote>ppolicy</quote> option and might be removed in a future release.  "
 6329 "</emphasis>"
 6330 msgstr ""
 6331 
 6332 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6333 #: sssd-ldap.5.xml:1308
 6334 msgid ""
 6335 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 6336 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
 6337 "and has value of '000001010000Z' or represents any time in the past.  The "
 6338 "value of the 'pwdAccountLockedTime' attribute must end with 'Z', which "
 6339 "denotes the UTC time zone.  Other time zones are not currently supported and "
 6340 "will result in \"access-denied\" when users attempt to log in.  Please see "
 6341 "the option ldap_pwdlockout_dn.  Please note that 'access_provider = ldap' "
 6342 "must be set for this feature to work."
 6343 msgstr ""
 6344 
 6345 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6346 #: sssd-ldap.5.xml:1325
 6347 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 6348 msgstr ""
 6349 
 6350 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6351 #: sssd-ldap.5.xml:1329
 6352 msgid ""
 6353 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 6354 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
 6355 "interested in being warned that password is about to expire and "
 6356 "authentication is based on using a different method than passwords - for "
 6357 "example SSH keys."
 6358 msgstr ""
 6359 
 6360 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6361 #: sssd-ldap.5.xml:1339
 6362 msgid ""
 6363 "The difference between these options is the action taken if user password is "
 6364 "expired: pwd_expire_policy_reject - user is denied to log in, "
 6365 "pwd_expire_policy_warn - user is still able to log in, "
 6366 "pwd_expire_policy_renew - user is prompted to change his password "
 6367 "immediately."
 6368 msgstr ""
 6369 
 6370 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6371 #: sssd-ldap.5.xml:1347
 6372 msgid "Note If user password is expired no explicit message is prompted by SSSD."
 6373 msgstr ""
 6374 
 6375 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6376 #: sssd-ldap.5.xml:1351
 6377 msgid ""
 6378 "Please note that 'access_provider = ldap' must be set for this feature to "
 6379 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 6380 msgstr ""
 6381 
 6382 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6383 #: sssd-ldap.5.xml:1356
 6384 msgid ""
 6385 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 6386 "to determine access"
 6387 msgstr ""
 6388 
 6389 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6390 #: sssd-ldap.5.xml:1361
 6391 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 6392 msgstr ""
 6393 
 6394 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6395 #: sssd-ldap.5.xml:1365
 6396 msgid ""
 6397 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 6398 "remote host can access"
 6399 msgstr ""
 6400 
 6401 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6402 #: sssd-ldap.5.xml:1369
 6403 msgid ""
 6404 "Please note, rhost field in pam is set by application, it is better to check "
 6405 "what the application sends to pam, before enabling this access control "
 6406 "option"
 6407 msgstr ""
 6408 
 6409 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6410 #: sssd-ldap.5.xml:1374
 6411 msgid "Default: filter"
 6412 msgstr ""
 6413 
 6414 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6415 #: sssd-ldap.5.xml:1377
 6416 msgid ""
 6417 "Please note that it is a configuration error if a value is used more than "
 6418 "once."
 6419 msgstr ""
 6420 
 6421 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6422 #: sssd-ldap.5.xml:1384
 6423 msgid "ldap_pwdlockout_dn (string)"
 6424 msgstr ""
 6425 
 6426 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6427 #: sssd-ldap.5.xml:1387
 6428 msgid ""
 6429 "This option specifies the DN of password policy entry on LDAP server. Please "
 6430 "note that absence of this option in sssd.conf in case of enabled account "
 6431 "lockout checking will yield access denied as ppolicy attributes on LDAP "
 6432 "server cannot be checked properly."
 6433 msgstr ""
 6434 
 6435 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6436 #: sssd-ldap.5.xml:1395
 6437 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 6438 msgstr ""
 6439 
 6440 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6441 #: sssd-ldap.5.xml:1398
 6442 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 6443 msgstr ""
 6444 
 6445 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6446 #: sssd-ldap.5.xml:1404
 6447 msgid "ldap_deref (string)"
 6448 msgstr ""
 6449 
 6450 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6451 #: sssd-ldap.5.xml:1407
 6452 msgid ""
 6453 "Specifies how alias dereferencing is done when performing a search. The "
 6454 "following options are allowed:"
 6455 msgstr ""
 6456 
 6457 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6458 #: sssd-ldap.5.xml:1412
 6459 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 6460 msgstr ""
 6461 
 6462 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6463 #: sssd-ldap.5.xml:1416
 6464 msgid ""
 6465 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 6466 "the base object, but not in locating the base object of the search."
 6467 msgstr ""
 6468 
 6469 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6470 #: sssd-ldap.5.xml:1421
 6471 msgid ""
 6472 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 6473 "the base object of the search."
 6474 msgstr ""
 6475 
 6476 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6477 #: sssd-ldap.5.xml:1426
 6478 msgid ""
 6479 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 6480 "in locating the base object of the search."
 6481 msgstr ""
 6482 
 6483 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6484 #: sssd-ldap.5.xml:1431
 6485 msgid ""
 6486 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 6487 "client libraries)"
 6488 msgstr ""
 6489 
 6490 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6491 #: sssd-ldap.5.xml:1439
 6492 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 6493 msgstr ""
 6494 
 6495 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6496 #: sssd-ldap.5.xml:1442
 6497 msgid ""
 6498 "Allows to retain local users as members of an LDAP group for servers that "
 6499 "use the RFC2307 schema."
 6500 msgstr ""
 6501 
 6502 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6503 #: sssd-ldap.5.xml:1446
 6504 msgid ""
 6505 "In some environments where the RFC2307 schema is used, local users are made "
 6506 "members of LDAP groups by adding their names to the memberUid attribute.  "
 6507 "The self-consistency of the domain is compromised when this is done, so SSSD "
 6508 "would normally remove the \"missing\" users from the cached group "
 6509 "memberships as soon as nsswitch tries to fetch information about the user "
 6510 "via getpw*() or initgroups() calls."
 6511 msgstr ""
 6512 
 6513 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6514 #: sssd-ldap.5.xml:1457
 6515 msgid ""
 6516 "This option falls back to checking if local users are referenced, and caches "
 6517 "them so that later initgroups() calls will augment the local users with the "
 6518 "additional LDAP groups."
 6519 msgstr ""
 6520 
 6521 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 6522 #: sssd-ldap.5.xml:1469 sssd-ifp.5.xml:136
 6523 msgid "wildcard_limit (integer)"
 6524 msgstr ""
 6525 
 6526 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6527 #: sssd-ldap.5.xml:1472
 6528 msgid ""
 6529 "Specifies an upper limit on the number of entries that are downloaded during "
 6530 "a wildcard lookup."
 6531 msgstr ""
 6532 
 6533 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6534 #: sssd-ldap.5.xml:1476
 6535 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 6536 msgstr ""
 6537 
 6538 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6539 #: sssd-ldap.5.xml:1480
 6540 msgid "Default: 1000 (often the size of one page)"
 6541 msgstr ""
 6542 
 6543 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6544 #: sssd-ldap.5.xml:1486
 6545 msgid "ldap_library_debug_level (integer)"
 6546 msgstr ""
 6547 
 6548 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6549 #: sssd-ldap.5.xml:1489
 6550 msgid ""
 6551 "Switches on libldap debugging with the given level.  The libldap debug "
 6552 "messages will be written independent of the general debug_level."
 6553 msgstr ""
 6554 
 6555 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6556 #: sssd-ldap.5.xml:1494
 6557 msgid ""
 6558 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 6559 "enable full debug output."
 6560 msgstr ""
 6561 
 6562 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6563 #: sssd-ldap.5.xml:1499
 6564 msgid "Default: 0 (libldap debugging disabled)"
 6565 msgstr ""
 6566 
 6567 #. type: Content of: <reference><refentry><refsect1><para>
 6568 #: sssd-ldap.5.xml:51
 6569 msgid ""
 6570 "All of the common configuration options that apply to SSSD domains also "
 6571 "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
 6572 "of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
 6573 "<manvolnum>5</manvolnum> </citerefentry> manual page for full details.  Note "
 6574 "that SSSD LDAP mapping attributes are described in the <citerefentry> "
 6575 "<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> "
 6576 "</citerefentry> manual page.  <placeholder type=\"variablelist\" id=\"0\"/>"
 6577 msgstr ""
 6578 
 6579 #. type: Content of: <reference><refentry><refsect1><title>
 6580 #: sssd-ldap.5.xml:1509
 6581 msgid "SUDO OPTIONS"
 6582 msgstr ""
 6583 
 6584 #. type: Content of: <reference><refentry><refsect1><para>
 6585 #: sssd-ldap.5.xml:1511
 6586 msgid ""
 6587 "The detailed instructions for configuration of sudo_provider are in the "
 6588 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
 6589 "<manvolnum>5</manvolnum> </citerefentry>."
 6590 msgstr ""
 6591 
 6592 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6593 #: sssd-ldap.5.xml:1522
 6594 msgid "ldap_sudo_full_refresh_interval (integer)"
 6595 msgstr ""
 6596 
 6597 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6598 #: sssd-ldap.5.xml:1525
 6599 msgid ""
 6600 "How many seconds SSSD will wait between executing a full refresh of sudo "
 6601 "rules (which downloads all rules that are stored on the server)."
 6602 msgstr ""
 6603 
 6604 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6605 #: sssd-ldap.5.xml:1530
 6606 msgid ""
 6607 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval "
 6608 "</emphasis>"
 6609 msgstr ""
 6610 
 6611 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6612 #: sssd-ldap.5.xml:1535
 6613 msgid "Default: 21600 (6 hours)"
 6614 msgstr ""
 6615 
 6616 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6617 #: sssd-ldap.5.xml:1541
 6618 msgid "ldap_sudo_smart_refresh_interval (integer)"
 6619 msgstr ""
 6620 
 6621 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6622 #: sssd-ldap.5.xml:1544
 6623 msgid ""
 6624 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 6625 "rules (which downloads all rules that have USN higher than the highest "
 6626 "server USN value that is currently known by SSSD)."
 6627 msgstr ""
 6628 
 6629 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6630 #: sssd-ldap.5.xml:1550
 6631 msgid ""
 6632 "If USN attributes are not supported by the server, the modifyTimestamp "
 6633 "attribute is used instead."
 6634 msgstr ""
 6635 
 6636 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6637 #: sssd-ldap.5.xml:1554
 6638 msgid ""
 6639 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 6640 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
 6641 "enumeration of users and groups (if enabled and updated users or groups are "
 6642 "found) and 3) by reconnecting to the server (by default every 15 minutes, "
 6643 "see <emphasis>ldap_connection_expire_timeout</emphasis>)."
 6644 msgstr ""
 6645 
 6646 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6647 #: sssd-ldap.5.xml:1571
 6648 msgid "ldap_sudo_use_host_filter (boolean)"
 6649 msgstr ""
 6650 
 6651 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6652 #: sssd-ldap.5.xml:1574
 6653 msgid ""
 6654 "If true, SSSD will download only rules that are applicable to this machine "
 6655 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 6656 msgstr ""
 6657 
 6658 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6659 #: sssd-ldap.5.xml:1585
 6660 msgid "ldap_sudo_hostnames (string)"
 6661 msgstr ""
 6662 
 6663 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6664 #: sssd-ldap.5.xml:1588
 6665 msgid ""
 6666 "Space separated list of hostnames or fully qualified domain names that "
 6667 "should be used to filter the rules."
 6668 msgstr ""
 6669 
 6670 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6671 #: sssd-ldap.5.xml:1593
 6672 msgid ""
 6673 "If this option is empty, SSSD will try to discover the hostname and the "
 6674 "fully qualified domain name automatically."
 6675 msgstr ""
 6676 
 6677 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6678 #: sssd-ldap.5.xml:1598 sssd-ldap.5.xml:1621 sssd-ldap.5.xml:1639
 6679 #: sssd-ldap.5.xml:1657
 6680 msgid ""
 6681 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is "
 6682 "<emphasis>false</emphasis> then this option has no effect."
 6683 msgstr ""
 6684 
 6685 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6686 #: sssd-ldap.5.xml:1603 sssd-ldap.5.xml:1626
 6687 msgid "Default: not specified"
 6688 msgstr ""
 6689 
 6690 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6691 #: sssd-ldap.5.xml:1609
 6692 msgid "ldap_sudo_ip (string)"
 6693 msgstr ""
 6694 
 6695 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6696 #: sssd-ldap.5.xml:1612
 6697 msgid ""
 6698 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 6699 "used to filter the rules."
 6700 msgstr ""
 6701 
 6702 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6703 #: sssd-ldap.5.xml:1617
 6704 msgid ""
 6705 "If this option is empty, SSSD will try to discover the addresses "
 6706 "automatically."
 6707 msgstr ""
 6708 
 6709 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6710 #: sssd-ldap.5.xml:1632
 6711 msgid "ldap_sudo_include_netgroups (boolean)"
 6712 msgstr ""
 6713 
 6714 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6715 #: sssd-ldap.5.xml:1635
 6716 msgid ""
 6717 "If true then SSSD will download every rule that contains a netgroup in "
 6718 "sudoHost attribute."
 6719 msgstr ""
 6720 
 6721 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6722 #: sssd-ldap.5.xml:1650
 6723 msgid "ldap_sudo_include_regexp (boolean)"
 6724 msgstr ""
 6725 
 6726 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6727 #: sssd-ldap.5.xml:1653
 6728 msgid ""
 6729 "If true then SSSD will download every rule that contains a wildcard in "
 6730 "sudoHost attribute."
 6731 msgstr ""
 6732 
 6733 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
 6734 #: sssd-ldap.5.xml:1663
 6735 msgid ""
 6736 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 6737 "server side!"
 6738 msgstr ""
 6739 
 6740 #. type: Content of: <reference><refentry><refsect1><para>
 6741 #: sssd-ldap.5.xml:1675
 6742 msgid ""
 6743 "This manual page only describes attribute name mapping.  For detailed "
 6744 "explanation of sudo related attribute semantics, see <citerefentry> "
 6745 "<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> "
 6746 "</citerefentry>"
 6747 msgstr ""
 6748 
 6749 #. type: Content of: <reference><refentry><refsect1><title>
 6750 #: sssd-ldap.5.xml:1685
 6751 msgid "AUTOFS OPTIONS"
 6752 msgstr ""
 6753 
 6754 #. type: Content of: <reference><refentry><refsect1><para>
 6755 #: sssd-ldap.5.xml:1687
 6756 msgid ""
 6757 "Some of the defaults for the parameters below are dependent on the LDAP "
 6758 "schema."
 6759 msgstr ""
 6760 
 6761 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6762 #: sssd-ldap.5.xml:1693
 6763 msgid "ldap_autofs_map_master_name (string)"
 6764 msgstr ""
 6765 
 6766 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6767 #: sssd-ldap.5.xml:1696
 6768 msgid "The name of the automount master map in LDAP."
 6769 msgstr ""
 6770 
 6771 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 6772 #: sssd-ldap.5.xml:1699
 6773 msgid "Default: auto.master"
 6774 msgstr ""
 6775 
 6776 #. type: Content of: <reference><refentry><refsect1><title>
 6777 #: sssd-ldap.5.xml:1710
 6778 msgid "ADVANCED OPTIONS"
 6779 msgstr ""
 6780 
 6781 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6782 #: sssd-ldap.5.xml:1717
 6783 msgid "ldap_netgroup_search_base (string)"
 6784 msgstr ""
 6785 
 6786 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6787 #: sssd-ldap.5.xml:1722
 6788 msgid "ldap_user_search_base (string)"
 6789 msgstr ""
 6790 
 6791 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6792 #: sssd-ldap.5.xml:1727
 6793 msgid "ldap_group_search_base (string)"
 6794 msgstr ""
 6795 
 6796 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
 6797 #: sssd-ldap.5.xml:1732
 6798 msgid "<note>"
 6799 msgstr ""
 6800 
 6801 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
 6802 #: sssd-ldap.5.xml:1734
 6803 msgid ""
 6804 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 6805 "against Active Directory will not be restricted and return all groups "
 6806 "memberships, even with no GID mapping. It is recommended to disable this "
 6807 "feature, if group names are not being displayed correctly."
 6808 msgstr ""
 6809 
 6810 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
 6811 #: sssd-ldap.5.xml:1741
 6812 msgid "</note>"
 6813 msgstr ""
 6814 
 6815 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6816 #: sssd-ldap.5.xml:1743
 6817 msgid "ldap_sudo_search_base (string)"
 6818 msgstr ""
 6819 
 6820 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 6821 #: sssd-ldap.5.xml:1748
 6822 msgid "ldap_autofs_search_base (string)"
 6823 msgstr ""
 6824 
 6825 #. type: Content of: <reference><refentry><refsect1><para>
 6826 #: sssd-ldap.5.xml:1712
 6827 msgid ""
 6828 "These options are supported by LDAP domains, but they should be used with "
 6829 "caution. Please include them in your configuration only if you know what you "
 6830 "are doing.  <placeholder type=\"variablelist\" id=\"0\"/> <placeholder "
 6831 "type=\"variablelist\" id=\"1\"/>"
 6832 msgstr ""
 6833 
 6834 #. type: Content of: <reference><refentry><refsect1><title>
 6835 #: sssd-ldap.5.xml:1763 sssd-simple.5.xml:131 sssd-ipa.5.xml:857
 6836 #: sssd-ad.5.xml:1363 sssd-krb5.5.xml:623 sss_rpcidmapd.5.xml:98
 6837 #: sssd-files.5.xml:130 sssd-session-recording.5.xml:176
 6838 msgid "EXAMPLE"
 6839 msgstr ""
 6840 
 6841 #. type: Content of: <reference><refentry><refsect1><para>
 6842 #: sssd-ldap.5.xml:1765
 6843 msgid ""
 6844 "The following example assumes that SSSD is correctly configured and LDAP is "
 6845 "set to one of the domains in the <replaceable>[domains]</replaceable> "
 6846 "section."
 6847 msgstr ""
 6848 
 6849 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 6850 #: sssd-ldap.5.xml:1771
 6851 #, no-wrap
 6852 msgid ""
 6853 "[domain/LDAP]\n"
 6854 "id_provider = ldap\n"
 6855 "auth_provider = ldap\n"
 6856 "ldap_uri = ldap://ldap.mydomain.org\n"
 6857 "ldap_search_base = dc=mydomain,dc=org\n"
 6858 "ldap_tls_reqcert = demand\n"
 6859 "cache_credentials = true\n"
 6860 msgstr ""
 6861 
 6862 #. type: Content of: <refsect1><refsect2><para>
 6863 #: sssd-ldap.5.xml:1770 sssd-ldap.5.xml:1788 sssd-simple.5.xml:139
 6864 #: sssd-ipa.5.xml:865 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:632
 6865 #: sssd-files.5.xml:137 sssd-files.5.xml:148 sssd-session-recording.5.xml:182
 6866 #: include/ldap_id_mapping.xml:105
 6867 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 6868 msgstr ""
 6869 
 6870 #. type: Content of: <reference><refentry><refsect1><title>
 6871 #: sssd-ldap.5.xml:1782
 6872 msgid "LDAP ACCESS FILTER EXAMPLE"
 6873 msgstr ""
 6874 
 6875 #. type: Content of: <reference><refentry><refsect1><para>
 6876 #: sssd-ldap.5.xml:1784
 6877 msgid ""
 6878 "The following example assumes that SSSD is correctly configured and to use "
 6879 "the ldap_access_order=lockout."
 6880 msgstr ""
 6881 
 6882 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 6883 #: sssd-ldap.5.xml:1789
 6884 #, no-wrap
 6885 msgid ""
 6886 "[domain/LDAP]\n"
 6887 "id_provider = ldap\n"
 6888 "auth_provider = ldap\n"
 6889 "access_provider = ldap\n"
 6890 "ldap_access_order = lockout\n"
 6891 "ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n"
 6892 "ldap_uri = ldap://ldap.mydomain.org\n"
 6893 "ldap_search_base = dc=mydomain,dc=org\n"
 6894 "ldap_tls_reqcert = demand\n"
 6895 "cache_credentials = true\n"
 6896 msgstr ""
 6897 
 6898 #. type: Content of: <reference><refentry><refsect1><title>
 6899 #: sssd-ldap.5.xml:1804 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
 6900 #: sssd-ad.5.xml:1386 sssd.8.xml:257 sss_seed.8.xml:163
 6901 msgid "NOTES"
 6902 msgstr ""
 6903 
 6904 #. type: Content of: <reference><refentry><refsect1><para>
 6905 #: sssd-ldap.5.xml:1806
 6906 msgid ""
 6907 "The descriptions of some of the configuration options in this manual page "
 6908 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
 6909 "<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
 6910 "distribution."
 6911 msgstr ""
 6912 
 6913 #. type: Content of: <reference><refentry><refnamediv><refname>
 6914 #: pam_sss.8.xml:11 pam_sss.8.xml:16
 6915 msgid "pam_sss"
 6916 msgstr ""
 6917 
 6918 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 6919 #: pam_sss.8.xml:17
 6920 msgid "PAM module for SSSD"
 6921 msgstr ""
 6922 
 6923 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 6924 #: pam_sss.8.xml:22
 6925 msgid ""
 6926 "<command>pam_sss.so</command> <arg choice='opt'> "
 6927 "<replaceable>quiet</replaceable> </arg> <arg choice='opt'> "
 6928 "<replaceable>forward_pass</replaceable> </arg> <arg choice='opt'> "
 6929 "<replaceable>use_first_pass</replaceable> </arg> <arg choice='opt'> "
 6930 "<replaceable>use_authtok</replaceable> </arg> <arg choice='opt'> "
 6931 "<replaceable>retry=N</replaceable> </arg> <arg choice='opt'> "
 6932 "<replaceable>ignore_unknown_user</replaceable> </arg> <arg choice='opt'> "
 6933 "<replaceable>ignore_authinfo_unavail</replaceable> </arg> <arg choice='opt'> "
 6934 "<replaceable>domains=X</replaceable> </arg> <arg choice='opt'> "
 6935 "<replaceable>allow_missing_name</replaceable> </arg> <arg choice='opt'> "
 6936 "<replaceable>prompt_always</replaceable> </arg> <arg choice='opt'> "
 6937 "<replaceable>try_cert_auth</replaceable> </arg> <arg choice='opt'> "
 6938 "<replaceable>require_cert_auth</replaceable> </arg>"
 6939 msgstr ""
 6940 
 6941 #. type: Content of: <reference><refentry><refsect1><para>
 6942 #: pam_sss.8.xml:64
 6943 msgid ""
 6944 "<command>pam_sss.so</command> is the PAM interface to the System Security "
 6945 "Services daemon (SSSD). Errors and results are logged through "
 6946 "<command>syslog(3)</command> with the LOG_AUTHPRIV facility."
 6947 msgstr ""
 6948 
 6949 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 6950 #: pam_sss.8.xml:74
 6951 msgid "<option>quiet</option>"
 6952 msgstr ""
 6953 
 6954 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 6955 #: pam_sss.8.xml:77
 6956 msgid "Suppress log messages for unknown users."
 6957 msgstr ""
 6958 
 6959 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 6960 #: pam_sss.8.xml:82
 6961 msgid "<option>forward_pass</option>"
 6962 msgstr ""
 6963 
 6964 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 6965 #: pam_sss.8.xml:85
 6966 msgid ""
 6967 "If <option>forward_pass</option> is set the entered password is put on the "
 6968 "stack for other PAM modules to use."
 6969 msgstr ""
 6970 
 6971 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 6972 #: pam_sss.8.xml:92
 6973 msgid "<option>use_first_pass</option>"
 6974 msgstr ""
 6975 
 6976 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 6977 #: pam_sss.8.xml:95
 6978 msgid ""
 6979 "The argument use_first_pass forces the module to use a previous stacked "
 6980 "modules password and will never prompt the user - if no password is "
 6981 "available or the password is not appropriate, the user will be denied "
 6982 "access."
 6983 msgstr ""
 6984 
 6985 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 6986 #: pam_sss.8.xml:103
 6987 msgid "<option>use_authtok</option>"
 6988 msgstr ""
 6989 
 6990 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 6991 #: pam_sss.8.xml:106
 6992 msgid ""
 6993 "When password changing enforce the module to set the new password to the one "
 6994 "provided by a previously stacked password module."
 6995 msgstr ""
 6996 
 6997 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 6998 #: pam_sss.8.xml:113
 6999 msgid "<option>retry=N</option>"
 7000 msgstr ""
 7001 
 7002 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7003 #: pam_sss.8.xml:116
 7004 msgid ""
 7005 "If specified the user is asked another N times for a password if "
 7006 "authentication fails. Default is 0."
 7007 msgstr ""
 7008 
 7009 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7010 #: pam_sss.8.xml:118
 7011 msgid ""
 7012 "Please note that this option might not work as expected if the application "
 7013 "calling PAM handles the user dialog on its own. A typical example is "
 7014 "<command>sshd</command> with <option>PasswordAuthentication</option>."
 7015 msgstr ""
 7016 
 7017 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7018 #: pam_sss.8.xml:127
 7019 msgid "<option>ignore_unknown_user</option>"
 7020 msgstr ""
 7021 
 7022 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7023 #: pam_sss.8.xml:130
 7024 msgid ""
 7025 "If this option is specified and the user does not exist, the PAM module will "
 7026 "return PAM_IGNORE. This causes the PAM framework to ignore this module."
 7027 msgstr ""
 7028 
 7029 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7030 #: pam_sss.8.xml:137
 7031 msgid "<option>ignore_authinfo_unavail</option>"
 7032 msgstr ""
 7033 
 7034 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7035 #: pam_sss.8.xml:141
 7036 msgid ""
 7037 "Specifies that the PAM module should return PAM_IGNORE if it cannot contact "
 7038 "the SSSD daemon. This causes the PAM framework to ignore this module."
 7039 msgstr ""
 7040 
 7041 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7042 #: pam_sss.8.xml:148
 7043 msgid "<option>domains</option>"
 7044 msgstr ""
 7045 
 7046 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7047 #: pam_sss.8.xml:152
 7048 msgid ""
 7049 "Allows the administrator to restrict the domains a particular PAM service is "
 7050 "allowed to authenticate against. The format is a comma-separated list of "
 7051 "SSSD domain names, as specified in the sssd.conf file."
 7052 msgstr ""
 7053 
 7054 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7055 #: pam_sss.8.xml:158
 7056 msgid ""
 7057 "NOTE: If this is used for a service not running as root user, e.g. a "
 7058 "web-server, it must be used in conjunction with the "
 7059 "<quote>pam_trusted_users</quote> and <quote>pam_public_domains</quote> "
 7060 "options.  Please see the <citerefentry> "
 7061 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
 7062 "</citerefentry> manual page for more information on these two PAM responder "
 7063 "options."
 7064 msgstr ""
 7065 
 7066 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7067 #: pam_sss.8.xml:173
 7068 msgid "<option>allow_missing_name</option>"
 7069 msgstr ""
 7070 
 7071 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7072 #: pam_sss.8.xml:177
 7073 msgid ""
 7074 "The main purpose of this option is to let SSSD determine the user name based "
 7075 "on additional information, e.g. the certificate from a Smartcard."
 7076 msgstr ""
 7077 
 7078 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
 7079 #: pam_sss.8.xml:187
 7080 #, no-wrap
 7081 msgid ""
 7082 "auth sufficient pam_sss.so allow_missing_name\n"
 7083 "                        "
 7084 msgstr ""
 7085 
 7086 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7087 #: pam_sss.8.xml:182
 7088 msgid ""
 7089 "The current use case are login managers which can monitor a Smartcard reader "
 7090 "for card events. In case a Smartcard is inserted the login manager will call "
 7091 "a PAM stack which includes a line like <placeholder type=\"programlisting\" "
 7092 "id=\"0\"/> In this case SSSD will try to determine the user name based on "
 7093 "the content of the Smartcard, returns it to pam_sss which will finally put "
 7094 "it on the PAM stack."
 7095 msgstr ""
 7096 
 7097 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7098 #: pam_sss.8.xml:197
 7099 msgid "<option>prompt_always</option>"
 7100 msgstr ""
 7101 
 7102 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7103 #: pam_sss.8.xml:201
 7104 msgid ""
 7105 "Always prompt the user for credentials. With this option credentials "
 7106 "requested by other PAM modules, typically a password, will be ignored and "
 7107 "pam_sss will prompt for credentials again. Based on the pre-auth reply by "
 7108 "SSSD pam_sss might prompt for a password, a Smartcard PIN or other "
 7109 "credentials."
 7110 msgstr ""
 7111 
 7112 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7113 #: pam_sss.8.xml:212
 7114 msgid "<option>try_cert_auth</option>"
 7115 msgstr ""
 7116 
 7117 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7118 #: pam_sss.8.xml:216
 7119 msgid ""
 7120 "Try to use certificate based authentication, i.e.  authentication with a "
 7121 "Smartcard or similar devices. If a Smartcard is available and the service is "
 7122 "allowed for Smartcard authentication the user will be prompted for a PIN and "
 7123 "the certificate based authentication will continue"
 7124 msgstr ""
 7125 
 7126 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7127 #: pam_sss.8.xml:224
 7128 msgid ""
 7129 "If no Smartcard is available or certificate based authentication is not "
 7130 "allowed for the current service PAM_AUTHINFO_UNAVAIL is returned."
 7131 msgstr ""
 7132 
 7133 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7134 #: pam_sss.8.xml:232
 7135 msgid "<option>require_cert_auth</option>"
 7136 msgstr ""
 7137 
 7138 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7139 #: pam_sss.8.xml:236
 7140 msgid ""
 7141 "Do certificate based authentication, i.e.  authentication with a Smartcard "
 7142 "or similar devices. If a Smartcard is not available the user will be "
 7143 "prompted to insert one. SSSD will wait for a Smartcard until the timeout "
 7144 "defined by p11_wait_for_card_timeout passed, please see "
 7145 "<citerefentry><refentrytitle>sssd.conf</refentrytitle> "
 7146 "<manvolnum>5</manvolnum></citerefentry> for details."
 7147 msgstr ""
 7148 
 7149 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7150 #: pam_sss.8.xml:246
 7151 msgid ""
 7152 "If no Smartcard is available after the timeout or certificate based "
 7153 "authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL "
 7154 "is returned."
 7155 msgstr ""
 7156 
 7157 #. type: Content of: <reference><refentry><refsect1><title>
 7158 #: pam_sss.8.xml:256 pam_sss_gss.8.xml:103
 7159 msgid "MODULE TYPES PROVIDED"
 7160 msgstr ""
 7161 
 7162 #. type: Content of: <reference><refentry><refsect1><para>
 7163 #: pam_sss.8.xml:257
 7164 msgid ""
 7165 "All module types (<option>account</option>, <option>auth</option>, "
 7166 "<option>password</option> and <option>session</option>) are provided."
 7167 msgstr ""
 7168 
 7169 #. type: Content of: <reference><refentry><refsect1><para>
 7170 #: pam_sss.8.xml:260
 7171 msgid ""
 7172 "If SSSD's PAM responder is not running, e.g. if the PAM responder socket is "
 7173 "not available, pam_sss will return PAM_USER_UNKNOWN when called as "
 7174 "<option>account</option> module to avoid issues with users from other "
 7175 "sources during access control."
 7176 msgstr ""
 7177 
 7178 #. type: Content of: <reference><refentry><refsect1><title>
 7179 #: pam_sss.8.xml:267 pam_sss_gss.8.xml:108
 7180 msgid "RETURN VALUES"
 7181 msgstr ""
 7182 
 7183 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7184 #: pam_sss.8.xml:270 pam_sss_gss.8.xml:111
 7185 msgid "PAM_SUCCESS"
 7186 msgstr ""
 7187 
 7188 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7189 #: pam_sss.8.xml:273 pam_sss_gss.8.xml:114
 7190 msgid "The PAM operation finished successfully."
 7191 msgstr ""
 7192 
 7193 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7194 #: pam_sss.8.xml:278 pam_sss_gss.8.xml:119
 7195 msgid "PAM_USER_UNKNOWN"
 7196 msgstr ""
 7197 
 7198 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7199 #: pam_sss.8.xml:281
 7200 msgid ""
 7201 "The user is not known to the authentication service or the SSSD's PAM "
 7202 "responder is not running."
 7203 msgstr ""
 7204 
 7205 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7206 #: pam_sss.8.xml:287 pam_sss_gss.8.xml:128
 7207 msgid "PAM_AUTH_ERR"
 7208 msgstr ""
 7209 
 7210 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7211 #: pam_sss.8.xml:290
 7212 msgid ""
 7213 "Authentication failure. Also, could be returned when there is a problem with "
 7214 "getting the certificate."
 7215 msgstr ""
 7216 
 7217 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7218 #: pam_sss.8.xml:296
 7219 msgid "PAM_PERM_DENIED"
 7220 msgstr ""
 7221 
 7222 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7223 #: pam_sss.8.xml:299
 7224 msgid ""
 7225 "Permission denied. The SSSD log files may contain additional information "
 7226 "about the error."
 7227 msgstr ""
 7228 
 7229 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7230 #: pam_sss.8.xml:305
 7231 msgid "PAM_IGNORE"
 7232 msgstr ""
 7233 
 7234 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7235 #: pam_sss.8.xml:308
 7236 msgid ""
 7237 "See options <option>ignore_unknown_user</option> and "
 7238 "<option>ignore_authinfo_unavail</option>."
 7239 msgstr ""
 7240 
 7241 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7242 #: pam_sss.8.xml:314
 7243 msgid "PAM_AUTHTOK_ERR"
 7244 msgstr ""
 7245 
 7246 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7247 #: pam_sss.8.xml:317
 7248 msgid ""
 7249 "Unable to obtain the new authentication token. Also, could be returned when "
 7250 "the user authenticates with certificates and multiple certificates are "
 7251 "available, but the installed version of GDM does not support selection from "
 7252 "multiple certificates."
 7253 msgstr ""
 7254 
 7255 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7256 #: pam_sss.8.xml:325 pam_sss_gss.8.xml:136
 7257 msgid "PAM_AUTHINFO_UNAVAIL"
 7258 msgstr ""
 7259 
 7260 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7261 #: pam_sss.8.xml:328 pam_sss_gss.8.xml:139
 7262 msgid ""
 7263 "Unable to access the authentication information.  This might be due to a "
 7264 "network or hardware failure."
 7265 msgstr ""
 7266 
 7267 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7268 #: pam_sss.8.xml:334
 7269 msgid "PAM_BUF_ERR"
 7270 msgstr ""
 7271 
 7272 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7273 #: pam_sss.8.xml:337
 7274 msgid ""
 7275 "A memory error occurred. Also, could be returned when options use_first_pass "
 7276 "or use_authtok were set, but no password was found from the previously "
 7277 "stacked PAM module."
 7278 msgstr ""
 7279 
 7280 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7281 #: pam_sss.8.xml:344 pam_sss_gss.8.xml:145
 7282 msgid "PAM_SYSTEM_ERR"
 7283 msgstr ""
 7284 
 7285 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7286 #: pam_sss.8.xml:347 pam_sss_gss.8.xml:148
 7287 msgid ""
 7288 "A system error occurred. The SSSD log files may contain additional "
 7289 "information about the error."
 7290 msgstr ""
 7291 
 7292 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7293 #: pam_sss.8.xml:353
 7294 msgid "PAM_CRED_ERR"
 7295 msgstr ""
 7296 
 7297 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7298 #: pam_sss.8.xml:356
 7299 msgid "Unable to set the credentials of the user."
 7300 msgstr ""
 7301 
 7302 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7303 #: pam_sss.8.xml:361
 7304 msgid "PAM_CRED_INSUFFICIENT"
 7305 msgstr ""
 7306 
 7307 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7308 #: pam_sss.8.xml:364
 7309 msgid ""
 7310 "The application does not have sufficient credentials to authenticate the "
 7311 "user. For example, missing PIN during smartcard authentication or missing "
 7312 "factor during two-factor authentication."
 7313 msgstr ""
 7314 
 7315 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7316 #: pam_sss.8.xml:372
 7317 msgid "PAM_SERVICE_ERR"
 7318 msgstr ""
 7319 
 7320 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7321 #: pam_sss.8.xml:375
 7322 msgid "Error in service module."
 7323 msgstr ""
 7324 
 7325 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7326 #: pam_sss.8.xml:380
 7327 msgid "PAM_NEW_AUTHTOK_REQD"
 7328 msgstr ""
 7329 
 7330 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7331 #: pam_sss.8.xml:383
 7332 msgid "The user's authentication token has expired."
 7333 msgstr ""
 7334 
 7335 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7336 #: pam_sss.8.xml:388
 7337 msgid "PAM_ACCT_EXPIRED"
 7338 msgstr ""
 7339 
 7340 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7341 #: pam_sss.8.xml:391
 7342 msgid "The user account has expired."
 7343 msgstr ""
 7344 
 7345 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7346 #: pam_sss.8.xml:396
 7347 msgid "PAM_SESSION_ERR"
 7348 msgstr ""
 7349 
 7350 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7351 #: pam_sss.8.xml:399
 7352 msgid "Unable to fetch IPA Desktop Profile rules or user info."
 7353 msgstr ""
 7354 
 7355 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7356 #: pam_sss.8.xml:404
 7357 msgid "PAM_CRED_UNAVAIL"
 7358 msgstr ""
 7359 
 7360 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7361 #: pam_sss.8.xml:407
 7362 msgid "Unable to retrieve Kerberos user credentials."
 7363 msgstr ""
 7364 
 7365 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7366 #: pam_sss.8.xml:412
 7367 msgid "PAM_NO_MODULE_DATA"
 7368 msgstr ""
 7369 
 7370 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7371 #: pam_sss.8.xml:415
 7372 msgid ""
 7373 "No authentication method was found by Kerberos.  This might happen if the "
 7374 "user has a Smartcard assigned but the pkint plugin is not available on the "
 7375 "client."
 7376 msgstr ""
 7377 
 7378 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7379 #: pam_sss.8.xml:422
 7380 msgid "PAM_CONV_ERR"
 7381 msgstr ""
 7382 
 7383 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7384 #: pam_sss.8.xml:425
 7385 msgid "Conversation failure."
 7386 msgstr ""
 7387 
 7388 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7389 #: pam_sss.8.xml:430
 7390 msgid "PAM_AUTHTOK_LOCK_BUSY"
 7391 msgstr ""
 7392 
 7393 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7394 #: pam_sss.8.xml:433
 7395 msgid "No KDC suitable for password change is available."
 7396 msgstr ""
 7397 
 7398 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7399 #: pam_sss.8.xml:438
 7400 msgid "PAM_ABORT"
 7401 msgstr ""
 7402 
 7403 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7404 #: pam_sss.8.xml:441
 7405 msgid "Unknown PAM call."
 7406 msgstr ""
 7407 
 7408 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7409 #: pam_sss.8.xml:446
 7410 msgid "PAM_MODULE_UNKNOWN"
 7411 msgstr ""
 7412 
 7413 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7414 #: pam_sss.8.xml:449
 7415 msgid "Unsupported PAM task or command."
 7416 msgstr ""
 7417 
 7418 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7419 #: pam_sss.8.xml:454
 7420 msgid "PAM_BAD_ITEM"
 7421 msgstr ""
 7422 
 7423 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7424 #: pam_sss.8.xml:457
 7425 msgid "The authentication module cannot handle Smartcard credentials."
 7426 msgstr ""
 7427 
 7428 #. type: Content of: <reference><refentry><refsect1><title>
 7429 #: pam_sss.8.xml:465
 7430 msgid "FILES"
 7431 msgstr ""
 7432 
 7433 #. type: Content of: <reference><refentry><refsect1><para>
 7434 #: pam_sss.8.xml:466
 7435 msgid ""
 7436 "If a password reset by root fails, because the corresponding SSSD provider "
 7437 "does not support password resets, an individual message can be "
 7438 "displayed. This message can e.g. contain instructions about how to reset a "
 7439 "password."
 7440 msgstr ""
 7441 
 7442 #. type: Content of: <reference><refentry><refsect1><para>
 7443 #: pam_sss.8.xml:471
 7444 msgid ""
 7445 "The message is read from the file "
 7446 "<filename>pam_sss_pw_reset_message.LOC</filename> where LOC stands for a "
 7447 "locale string returned by <citerefentry> "
 7448 "<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> "
 7449 "</citerefentry>. If there is no matching file the content of "
 7450 "<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
 7451 "the owner of the files and only root may have read and write permissions "
 7452 "while all other users must have only read permissions."
 7453 msgstr ""
 7454 
 7455 #. type: Content of: <reference><refentry><refsect1><para>
 7456 #: pam_sss.8.xml:481
 7457 msgid ""
 7458 "These files are searched in the directory "
 7459 "<filename>/etc/sssd/customize/DOMAIN_NAME/</filename>. If no matching file "
 7460 "is present a generic message is displayed."
 7461 msgstr ""
 7462 
 7463 #. type: Content of: <reference><refentry><refnamediv><refname>
 7464 #: pam_sss_gss.8.xml:11 pam_sss_gss.8.xml:16
 7465 msgid "pam_sss_gss"
 7466 msgstr ""
 7467 
 7468 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 7469 #: pam_sss_gss.8.xml:17
 7470 msgid "PAM module for SSSD GSSAPI authentication"
 7471 msgstr ""
 7472 
 7473 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 7474 #: pam_sss_gss.8.xml:22
 7475 msgid ""
 7476 "<command>pam_sss_gss.so</command> <arg choice='opt'> "
 7477 "<replaceable>debug</replaceable> </arg>"
 7478 msgstr ""
 7479 
 7480 #. type: Content of: <reference><refentry><refsect1><para>
 7481 #: pam_sss_gss.8.xml:32
 7482 msgid ""
 7483 "<command>pam_sss_gss.so</command> authenticates user over GSSAPI in "
 7484 "cooperation with SSSD."
 7485 msgstr ""
 7486 
 7487 #. type: Content of: <reference><refentry><refsect1><para>
 7488 #: pam_sss_gss.8.xml:36
 7489 msgid ""
 7490 "This module will try to authenticate the user using the GSSAPI hostbased "
 7491 "service name host@hostname which translates to host/hostname@REALM Kerberos "
 7492 "principal. The <emphasis>REALM</emphasis> part of the Kerberos principal "
 7493 "name is derived by Kerberos internal mechanisms and it can be set explicitly "
 7494 "in configuration of [domain_realm] section in /etc/krb5.conf."
 7495 msgstr ""
 7496 
 7497 #. type: Content of: <reference><refentry><refsect1><para>
 7498 #: pam_sss_gss.8.xml:44
 7499 msgid ""
 7500 "SSSD is used to provide desired service name and to validate the user's "
 7501 "credentials using GSSAPI calls. If the service ticket is already present in "
 7502 "the Kerberos credentials cache or if user's ticket granting ticket can be "
 7503 "used to get the correct service ticket then the user will be authenticated."
 7504 msgstr ""
 7505 
 7506 #. type: Content of: <reference><refentry><refsect1><para>
 7507 #: pam_sss_gss.8.xml:51
 7508 msgid ""
 7509 "If <option>pam_gssapi_check_upn</option> is True (default) then SSSD "
 7510 "requires that the credentials used to obtain the service tickets can be "
 7511 "associated with the user. This means that the principal that owns the "
 7512 "Kerberos credentials must match with the user principal name as defined in "
 7513 "LDAP."
 7514 msgstr ""
 7515 
 7516 #. type: Content of: <reference><refentry><refsect1><para>
 7517 #: pam_sss_gss.8.xml:58
 7518 msgid ""
 7519 "To enable GSSAPI authentication in SSSD, set "
 7520 "<option>pam_gssapi_services</option> option in [pam] or domain section of "
 7521 "sssd.conf. The service credentials need to be stored in SSSD's keytab (it is "
 7522 "already present if you use ipa or ad provider). The keytab location can be "
 7523 "set with <option>krb5_keytab</option> option. See <citerefentry> "
 7524 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
 7525 "</citerefentry> and <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
 7526 "<manvolnum>5</manvolnum> </citerefentry> for more details on these options."
 7527 msgstr ""
 7528 
 7529 #. type: Content of: <reference><refentry><refsect1><para>
 7530 #: pam_sss_gss.8.xml:74
 7531 msgid ""
 7532 "Some Kerberos deployments allow to assocate authentication indicators with a "
 7533 "particular pre-authentication method used to obtain the ticket granting "
 7534 "ticket by the user.  <command>pam_sss_gss.so</command> allows to enforce "
 7535 "presence of authentication indicators in the service tickets before a "
 7536 "particular PAM service can be accessed."
 7537 msgstr ""
 7538 
 7539 #. type: Content of: <reference><refentry><refsect1><para>
 7540 #: pam_sss_gss.8.xml:82
 7541 msgid ""
 7542 "If <option>pam_gssapi_indicators_map</option> is set in the [pam] or domain "
 7543 "section of sssd.conf, then SSSD will perform a check of the presence of any "
 7544 "configured indicators in the service ticket."
 7545 msgstr ""
 7546 
 7547 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 7548 #: pam_sss_gss.8.xml:93
 7549 msgid "<option>debug</option>"
 7550 msgstr ""
 7551 
 7552 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7553 #: pam_sss_gss.8.xml:96
 7554 msgid "Print debugging information."
 7555 msgstr ""
 7556 
 7557 #. type: Content of: <reference><refentry><refsect1><para>
 7558 #: pam_sss_gss.8.xml:104
 7559 msgid "Only the <option>auth</option> module type is provided."
 7560 msgstr ""
 7561 
 7562 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7563 #: pam_sss_gss.8.xml:122
 7564 msgid ""
 7565 "The user is not known to the authentication service or the GSSAPI "
 7566 "authentication is not supported."
 7567 msgstr ""
 7568 
 7569 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 7570 #: pam_sss_gss.8.xml:131
 7571 msgid "Authentication failure."
 7572 msgstr ""
 7573 
 7574 #. type: Content of: <reference><refentry><refsect1><para>
 7575 #: pam_sss_gss.8.xml:159
 7576 msgid ""
 7577 "The main use case is to provide password-less authentication in sudo but "
 7578 "without the need to disable authentication completely.  To achieve this, "
 7579 "first enable GSSAPI authentication for sudo in sssd.conf:"
 7580 msgstr ""
 7581 
 7582 #. type: Content of: <reference><refentry><refsect1><programlisting>
 7583 #: pam_sss_gss.8.xml:165
 7584 #, no-wrap
 7585 msgid ""
 7586 "[domain/MYDOMAIN]\n"
 7587 "pam_gssapi_services = sudo, sudo-i\n"
 7588 "        "
 7589 msgstr ""
 7590 
 7591 #. type: Content of: <reference><refentry><refsect1><para>
 7592 #: pam_sss_gss.8.xml:169
 7593 msgid ""
 7594 "And then enable the module in desired PAM stack (e.g. /etc/pam.d/sudo and "
 7595 "/etc/pam.d/sudo-i)."
 7596 msgstr ""
 7597 
 7598 #. type: Content of: <reference><refentry><refsect1><programlisting>
 7599 #: pam_sss_gss.8.xml:173
 7600 #, no-wrap
 7601 msgid ""
 7602 "...\n"
 7603 "auth sufficient pam_sss_gss.so\n"
 7604 "...\n"
 7605 "        "
 7606 msgstr ""
 7607 
 7608 #. type: Content of: <reference><refentry><refsect1><title>
 7609 #: pam_sss_gss.8.xml:180
 7610 msgid "TROUBLESHOOTING"
 7611 msgstr ""
 7612 
 7613 #. type: Content of: <reference><refentry><refsect1><para>
 7614 #: pam_sss_gss.8.xml:182
 7615 msgid ""
 7616 "SSSD logs, pam_sss_gss debug output and syslog may contain helpful "
 7617 "information about the error. Here are some common issues:"
 7618 msgstr ""
 7619 
 7620 #. type: Content of: <reference><refentry><refsect1><para>
 7621 #: pam_sss_gss.8.xml:186
 7622 msgid ""
 7623 "1. I have KRB5CCNAME environment variable set and the authentication does "
 7624 "not work: Depending on your sudo version, it is possible that sudo does not "
 7625 "pass this variable to the PAM environment. Try adding KRB5CCNAME to "
 7626 "<option>env_keep</option> in /etc/sudoers or in your LDAP sudo rules default "
 7627 "options."
 7628 msgstr ""
 7629 
 7630 #. type: Content of: <reference><refentry><refsect1><para>
 7631 #: pam_sss_gss.8.xml:193
 7632 msgid ""
 7633 "2. Authentication does not work and syslog contains \"Server not found in "
 7634 "Kerberos database\": Kerberos is probably not able to resolve correct realm "
 7635 "for the service ticket based on the hostname.  Try adding the hostname "
 7636 "directly to <option>[domain_realm]</option> in /etc/krb5.conf like so:"
 7637 msgstr ""
 7638 
 7639 #. type: Content of: <reference><refentry><refsect1><para>
 7640 #: pam_sss_gss.8.xml:200
 7641 msgid ""
 7642 "3. Authentication does not work and syslog contains \"No Kerberos "
 7643 "credentials available\": You don't have any credentials that can be used to "
 7644 "obtain the required service ticket. Use kinit or autheticate over SSSD to "
 7645 "acquire those credentials."
 7646 msgstr ""
 7647 
 7648 #. type: Content of: <reference><refentry><refsect1><para>
 7649 #: pam_sss_gss.8.xml:206
 7650 msgid ""
 7651 "4. Authentication does not work and SSSD sssd-pam log contains \"User with "
 7652 "UPN [$UPN] was not found.\" or \"UPN [$UPN] does not match target user "
 7653 "[$username].\": You are using credentials that can not be mapped to the user "
 7654 "that is being authenticated. Try to use kswitch to select different "
 7655 "principal, make sure you authenticated with SSSD or consider disabling "
 7656 "<option>pam_gssapi_check_upn</option>."
 7657 msgstr ""
 7658 
 7659 #. type: Content of: <reference><refentry><refsect1><programlisting>
 7660 #: pam_sss_gss.8.xml:214
 7661 #, no-wrap
 7662 msgid ""
 7663 "[domain_realm]\n"
 7664 ".myhostname = MYREALM\n"
 7665 "        "
 7666 msgstr ""
 7667 
 7668 #. type: Content of: <reference><refentry><refnamediv><refname>
 7669 #: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
 7670 msgid "sssd_krb5_locator_plugin"
 7671 msgstr ""
 7672 
 7673 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 7674 #: sssd_krb5_locator_plugin.8.xml:16
 7675 msgid "Kerberos locator plugin"
 7676 msgstr ""
 7677 
 7678 #. type: Content of: <reference><refentry><refsect1><para>
 7679 #: sssd_krb5_locator_plugin.8.xml:22
 7680 msgid ""
 7681 "The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
 7682 "used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such "
 7683 "a plugin to guide all Kerberos clients on a system to a single KDC. In "
 7684 "general it should not matter to which KDC a client process is talking to.  "
 7685 "But there are cases, e.g. after a password change, where not all KDCs are in "
 7686 "the same state because the new data has to be replicated first. To avoid "
 7687 "unexpected authentication failures and maybe even account lockings it would "
 7688 "be good to talk to a single KDC as long as possible."
 7689 msgstr ""
 7690 
 7691 #. type: Content of: <reference><refentry><refsect1><para>
 7692 #: sssd_krb5_locator_plugin.8.xml:34
 7693 msgid ""
 7694 "libkrb5 will search the locator plugin in the libkrb5 sub-directory of the "
 7695 "Kerberos plugin directory, see plugin_base_dir in <citerefentry> "
 7696 "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> "
 7697 "</citerefentry> for details. The plugin can only be disabled by removing the "
 7698 "plugin file. There is no option in the Kerberos configuration to disable "
 7699 "it. But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to "
 7700 "disable the plugin for individual commands. Alternatively the SSSD option "
 7701 "krb5_use_kdcinfo=False can be used to not generate the data needed by the "
 7702 "plugin. With this the plugin is still called but will provide no data to the "
 7703 "caller so that libkrb5 can fall back to other methods defined in krb5.conf."
 7704 msgstr ""
 7705 
 7706 #. type: Content of: <reference><refentry><refsect1><para>
 7707 #: sssd_krb5_locator_plugin.8.xml:50
 7708 msgid ""
 7709 "The plugin reads the information about the KDCs of a given realm from a file "
 7710 "called <filename>kdcinfo.REALM</filename>. The file should contain one or "
 7711 "more DNS names or IP addresses either in dotted-decimal IPv4 notation or the "
 7712 "hexadecimal IPv6 notation.  An optional port number can be added to the end "
 7713 "separated with a colon, the IPv6 address has to be enclosed in squared "
 7714 "brackets in this case as usual. Valid entries are:"
 7715 msgstr ""
 7716 
 7717 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7718 #: sssd_krb5_locator_plugin.8.xml:58
 7719 msgid "kdc.example.com"
 7720 msgstr ""
 7721 
 7722 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7723 #: sssd_krb5_locator_plugin.8.xml:59
 7724 msgid "kdc.example.com:321"
 7725 msgstr ""
 7726 
 7727 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7728 #: sssd_krb5_locator_plugin.8.xml:60
 7729 msgid "1.2.3.4"
 7730 msgstr ""
 7731 
 7732 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7733 #: sssd_krb5_locator_plugin.8.xml:61
 7734 msgid "5.6.7.8:99"
 7735 msgstr ""
 7736 
 7737 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7738 #: sssd_krb5_locator_plugin.8.xml:62
 7739 msgid "2001:db8:85a3::8a2e:370:7334"
 7740 msgstr ""
 7741 
 7742 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7743 #: sssd_krb5_locator_plugin.8.xml:63
 7744 msgid "[2001:db8:85a3::8a2e:370:7334]:321"
 7745 msgstr ""
 7746 
 7747 #. type: Content of: <reference><refentry><refsect1><para>
 7748 #: sssd_krb5_locator_plugin.8.xml:65
 7749 msgid ""
 7750 "SSSD's krb5 auth-provider which is used by the IPA and AD providers as well "
 7751 "adds the address of the current KDC or domain controller SSSD is using to "
 7752 "this file."
 7753 msgstr ""
 7754 
 7755 #. type: Content of: <reference><refentry><refsect1><para>
 7756 #: sssd_krb5_locator_plugin.8.xml:70
 7757 msgid ""
 7758 "In environments with read-only and read-write KDCs where clients are "
 7759 "expected to use the read-only instances for the general operations and only "
 7760 "the read-write KDC for config changes like password changes a "
 7761 "<filename>kpasswdinfo.REALM</filename> is used as well to identify "
 7762 "read-write KDCs. If this file exists for the given realm the content will be "
 7763 "used by the plugin to reply to requests for a kpasswd or kadmin server or "
 7764 "for the MIT Kerberos specific master KDC. If the address contains a port "
 7765 "number the default KDC port 88 will be used for the latter."
 7766 msgstr ""
 7767 
 7768 #. type: Content of: <reference><refentry><refsect1><para>
 7769 #: sssd_krb5_locator_plugin.8.xml:85
 7770 msgid ""
 7771 "Not all Kerberos implementations support the use of plugins. If "
 7772 "<command>sssd_krb5_locator_plugin</command> is not available on your system "
 7773 "you have to edit /etc/krb5.conf to reflect your Kerberos setup."
 7774 msgstr ""
 7775 
 7776 #. type: Content of: <reference><refentry><refsect1><para>
 7777 #: sssd_krb5_locator_plugin.8.xml:91
 7778 msgid ""
 7779 "If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
 7780 "debug messages will be sent to stderr."
 7781 msgstr ""
 7782 
 7783 #. type: Content of: <reference><refentry><refsect1><para>
 7784 #: sssd_krb5_locator_plugin.8.xml:95
 7785 msgid ""
 7786 "If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value "
 7787 "the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the "
 7788 "caller."
 7789 msgstr ""
 7790 
 7791 #. type: Content of: <reference><refentry><refsect1><para>
 7792 #: sssd_krb5_locator_plugin.8.xml:100
 7793 msgid ""
 7794 "If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to "
 7795 "any value plugin will try to resolve all DNS names in kdcinfo file. By "
 7796 "default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on "
 7797 "first DNS resolving failure."
 7798 msgstr ""
 7799 
 7800 #. type: Content of: <reference><refentry><refnamediv><refname>
 7801 #: sssd-simple.5.xml:10 sssd-simple.5.xml:16
 7802 msgid "sssd-simple"
 7803 msgstr ""
 7804 
 7805 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 7806 #: sssd-simple.5.xml:17
 7807 msgid "the configuration file for SSSD's 'simple' access-control provider"
 7808 msgstr ""
 7809 
 7810 #. type: Content of: <reference><refentry><refsect1><para>
 7811 #: sssd-simple.5.xml:24
 7812 msgid ""
 7813 "This manual page describes the configuration of the simple access-control "
 7814 "provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
 7815 "<manvolnum>8</manvolnum> </citerefentry>.  For a detailed syntax reference, "
 7816 "refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
 7817 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
 7818 "</citerefentry> manual page."
 7819 msgstr ""
 7820 
 7821 #. type: Content of: <reference><refentry><refsect1><para>
 7822 #: sssd-simple.5.xml:38
 7823 msgid ""
 7824 "The simple access provider grants or denies access based on an access or "
 7825 "deny list of user or group names. The following rules apply:"
 7826 msgstr ""
 7827 
 7828 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7829 #: sssd-simple.5.xml:43
 7830 msgid "If all lists are empty, access is granted"
 7831 msgstr ""
 7832 
 7833 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7834 #: sssd-simple.5.xml:47
 7835 msgid ""
 7836 "If any list is provided, the order of evaluation is allow,deny. This means "
 7837 "that any matching deny rule will supersede any matched allow rule."
 7838 msgstr ""
 7839 
 7840 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7841 #: sssd-simple.5.xml:54
 7842 msgid ""
 7843 "If either or both \"allow\" lists are provided, all users are denied unless "
 7844 "they appear in the list."
 7845 msgstr ""
 7846 
 7847 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
 7848 #: sssd-simple.5.xml:60
 7849 msgid ""
 7850 "If only \"deny\" lists are provided, all users are granted access unless "
 7851 "they appear in the list."
 7852 msgstr ""
 7853 
 7854 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 7855 #: sssd-simple.5.xml:78
 7856 msgid "simple_allow_users (string)"
 7857 msgstr ""
 7858 
 7859 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 7860 #: sssd-simple.5.xml:81
 7861 msgid "Comma separated list of users who are allowed to log in."
 7862 msgstr ""
 7863 
 7864 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 7865 #: sssd-simple.5.xml:88
 7866 msgid "simple_deny_users (string)"
 7867 msgstr ""
 7868 
 7869 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 7870 #: sssd-simple.5.xml:91
 7871 msgid "Comma separated list of users who are explicitly denied access."
 7872 msgstr ""
 7873 
 7874 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 7875 #: sssd-simple.5.xml:97
 7876 msgid "simple_allow_groups (string)"
 7877 msgstr ""
 7878 
 7879 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 7880 #: sssd-simple.5.xml:100
 7881 msgid ""
 7882 "Comma separated list of groups that are allowed to log in. This applies only "
 7883 "to groups within this SSSD domain. Local groups are not evaluated."
 7884 msgstr ""
 7885 
 7886 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 7887 #: sssd-simple.5.xml:108
 7888 msgid "simple_deny_groups (string)"
 7889 msgstr ""
 7890 
 7891 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 7892 #: sssd-simple.5.xml:111
 7893 msgid ""
 7894 "Comma separated list of groups that are explicitly denied access. This "
 7895 "applies only to groups within this SSSD domain. Local groups are not "
 7896 "evaluated."
 7897 msgstr ""
 7898 
 7899 #. type: Content of: <reference><refentry><refsect1><para>
 7900 #: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
 7901 msgid ""
 7902 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 7903 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
 7904 "</citerefentry> manual page for details on the configuration of an SSSD "
 7905 "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
 7906 msgstr ""
 7907 
 7908 #. type: Content of: <reference><refentry><refsect1><para>
 7909 #: sssd-simple.5.xml:120
 7910 msgid ""
 7911 "Specifying no values for any of the lists is equivalent to skipping it "
 7912 "entirely. Beware of this while generating parameters for the simple provider "
 7913 "using automated scripts."
 7914 msgstr ""
 7915 
 7916 #. type: Content of: <reference><refentry><refsect1><para>
 7917 #: sssd-simple.5.xml:125
 7918 msgid ""
 7919 "Please note that it is an configuration error if both, simple_allow_users "
 7920 "and simple_deny_users, are defined."
 7921 msgstr ""
 7922 
 7923 #. type: Content of: <reference><refentry><refsect1><para>
 7924 #: sssd-simple.5.xml:133
 7925 msgid ""
 7926 "The following example assumes that SSSD is correctly configured and "
 7927 "example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
 7928 "section. This examples shows only the simple access provider-specific "
 7929 "options."
 7930 msgstr ""
 7931 
 7932 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 7933 #: sssd-simple.5.xml:140
 7934 #, no-wrap
 7935 msgid ""
 7936 "[domain/example.com]\n"
 7937 "access_provider = simple\n"
 7938 "simple_allow_users = user1, user2\n"
 7939 msgstr ""
 7940 
 7941 #. type: Content of: <reference><refentry><refsect1><para>
 7942 #: sssd-simple.5.xml:150
 7943 msgid ""
 7944 "The complete group membership hierarchy is resolved before the access check, "
 7945 "thus even nested groups can be included in the access lists.  Please be "
 7946 "aware that the <quote>ldap_group_nesting_level</quote> option may impact the "
 7947 "results and should be set to a sufficient value.  (<citerefentry> "
 7948 "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> "
 7949 "</citerefentry>) option."
 7950 msgstr ""
 7951 
 7952 #. type: Content of: <reference><refentry><refnamediv><refname>
 7953 #: sss-certmap.5.xml:10 sss-certmap.5.xml:16
 7954 msgid "sss-certmap"
 7955 msgstr ""
 7956 
 7957 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 7958 #: sss-certmap.5.xml:17
 7959 msgid "SSSD Certificate Matching and Mapping Rules"
 7960 msgstr ""
 7961 
 7962 #. type: Content of: <reference><refentry><refsect1><para>
 7963 #: sss-certmap.5.xml:23
 7964 msgid ""
 7965 "The manual page describes the rules which can be used by SSSD and other "
 7966 "components to match X.509 certificates and map them to accounts."
 7967 msgstr ""
 7968 
 7969 #. type: Content of: <reference><refentry><refsect1><para>
 7970 #: sss-certmap.5.xml:28
 7971 msgid ""
 7972 "Each rule has four components, a <quote>priority</quote>, a <quote>matching "
 7973 "rule</quote>, a <quote>mapping rule</quote> and a <quote>domain "
 7974 "list</quote>. All components are optional. A missing <quote>priority</quote> "
 7975 "will add the rule with the lowest priority.  The default <quote>matching "
 7976 "rule</quote> will match certificates with the digitalSignature key usage and "
 7977 "clientAuth extended key usage. If the <quote>mapping rule</quote> is empty "
 7978 "the certificates will be searched in the userCertificate attribute as DER "
 7979 "encoded binary. If no domains are given only the local domain will be "
 7980 "searched."
 7981 msgstr ""
 7982 
 7983 #. type: Content of: <reference><refentry><refsect1><title>
 7984 #: sss-certmap.5.xml:41
 7985 msgid "RULE COMPONENTS"
 7986 msgstr ""
 7987 
 7988 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 7989 #: sss-certmap.5.xml:43
 7990 msgid "PRIORITY"
 7991 msgstr ""
 7992 
 7993 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 7994 #: sss-certmap.5.xml:45
 7995 msgid ""
 7996 "The rules are processed by priority while the number '0' (zero)  indicates "
 7997 "the highest priority. The higher the number the lower is the priority. A "
 7998 "missing value indicates the lowest priority. The rules processing is stopped "
 7999 "when a matched rule is found and no further rules are checked."
 8000 msgstr ""
 8001 
 8002 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8003 #: sss-certmap.5.xml:52
 8004 msgid ""
 8005 "Internally the priority is treated as unsigned 32bit integer, using a "
 8006 "priority value larger than 4294967295 will cause an error."
 8007 msgstr ""
 8008 
 8009 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 8010 #: sss-certmap.5.xml:57
 8011 msgid "MATCHING RULE"
 8012 msgstr ""
 8013 
 8014 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8015 #: sss-certmap.5.xml:59
 8016 msgid ""
 8017 "The matching rule is used to select a certificate to which the mapping rule "
 8018 "should be applied. It uses a system similar to the one used by "
 8019 "<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a "
 8020 "keyword enclosed by '&lt;' and '&gt;' which identified a certain part of the "
 8021 "certificate and a pattern which should be found for the rule to "
 8022 "match. Multiple keyword pattern pairs can be either joined with '&amp;&amp;' "
 8023 "(and) or '&#124;&#124;' (or)."
 8024 msgstr ""
 8025 
 8026 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8027 #: sss-certmap.5.xml:71
 8028 msgid "&lt;SUBJECT&gt;regular-expression"
 8029 msgstr ""
 8030 
 8031 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8032 #: sss-certmap.5.xml:74
 8033 msgid ""
 8034 "With this a part or the whole subject name of the certificate can be "
 8035 "matched. For the matching POSIX Extended Regular Expression syntax is used, "
 8036 "see regex(7)  for details."
 8037 msgstr ""
 8038 
 8039 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8040 #: sss-certmap.5.xml:80
 8041 msgid ""
 8042 "For the matching the subject name stored in the certificate in DER encoded "
 8043 "ASN.1 is converted into a string according to RFC 4514. This means the most "
 8044 "specific name component comes first. Please note that not all possible "
 8045 "attribute names are covered by RFC 4514. The names included are 'CN', 'L', "
 8046 "'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might "
 8047 "be shown differently on different platform and by different tools. To avoid "
 8048 "confusion those attribute names are best not used or covered by a suitable "
 8049 "regular-expression."
 8050 msgstr ""
 8051 
 8052 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8053 #: sss-certmap.5.xml:93
 8054 msgid "Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN"
 8055 msgstr ""
 8056 
 8057 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8058 #: sss-certmap.5.xml:96
 8059 msgid ""
 8060 "Please note that the characters \"^.[$()|*+?{\\\" have a special meaning in "
 8061 "regular expressions and must be escaped with the help of the '\\' character "
 8062 "so that they are matched as ordinary characters."
 8063 msgstr ""
 8064 
 8065 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8066 #: sss-certmap.5.xml:102
 8067 msgid "Example: &lt;SUBJECT&gt;^CN=.* \\(Admin\\),DC=MY,DC=DOMAIN$"
 8068 msgstr ""
 8069 
 8070 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8071 #: sss-certmap.5.xml:107
 8072 msgid "&lt;ISSUER&gt;regular-expression"
 8073 msgstr ""
 8074 
 8075 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8076 #: sss-certmap.5.xml:110
 8077 msgid ""
 8078 "With this a part or the whole issuer name of the certificate can be "
 8079 "matched. All comments for &lt;SUBJECT&gt; apply her as well."
 8080 msgstr ""
 8081 
 8082 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8083 #: sss-certmap.5.xml:115
 8084 msgid "Example: &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$"
 8085 msgstr ""
 8086 
 8087 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8088 #: sss-certmap.5.xml:120
 8089 msgid "&lt;KU&gt;key-usage"
 8090 msgstr ""
 8091 
 8092 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8093 #: sss-certmap.5.xml:123
 8094 msgid ""
 8095 "This option can be used to specify which key usage values the certificate "
 8096 "should have. The following values can be used in a comma separated list:"
 8097 msgstr ""
 8098 
 8099 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8100 #: sss-certmap.5.xml:127
 8101 msgid "digitalSignature"
 8102 msgstr ""
 8103 
 8104 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8105 #: sss-certmap.5.xml:128
 8106 msgid "nonRepudiation"
 8107 msgstr ""
 8108 
 8109 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8110 #: sss-certmap.5.xml:129
 8111 msgid "keyEncipherment"
 8112 msgstr ""
 8113 
 8114 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8115 #: sss-certmap.5.xml:130
 8116 msgid "dataEncipherment"
 8117 msgstr ""
 8118 
 8119 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8120 #: sss-certmap.5.xml:131
 8121 msgid "keyAgreement"
 8122 msgstr ""
 8123 
 8124 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8125 #: sss-certmap.5.xml:132
 8126 msgid "keyCertSign"
 8127 msgstr ""
 8128 
 8129 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8130 #: sss-certmap.5.xml:133
 8131 msgid "cRLSign"
 8132 msgstr ""
 8133 
 8134 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8135 #: sss-certmap.5.xml:134
 8136 msgid "encipherOnly"
 8137 msgstr ""
 8138 
 8139 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8140 #: sss-certmap.5.xml:135
 8141 msgid "decipherOnly"
 8142 msgstr ""
 8143 
 8144 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8145 #: sss-certmap.5.xml:139
 8146 msgid ""
 8147 "A numerical value in the range of a 32bit unsigned integer can be used as "
 8148 "well to cover special use cases."
 8149 msgstr ""
 8150 
 8151 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8152 #: sss-certmap.5.xml:143
 8153 msgid "Example: &lt;KU&gt;digitalSignature,keyEncipherment"
 8154 msgstr ""
 8155 
 8156 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8157 #: sss-certmap.5.xml:148
 8158 msgid "&lt;EKU&gt;extended-key-usage"
 8159 msgstr ""
 8160 
 8161 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8162 #: sss-certmap.5.xml:151
 8163 msgid ""
 8164 "This option can be used to specify which extended key usage the certificate "
 8165 "should have. The following value can be used in a comma separated list:"
 8166 msgstr ""
 8167 
 8168 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8169 #: sss-certmap.5.xml:155
 8170 msgid "serverAuth"
 8171 msgstr ""
 8172 
 8173 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8174 #: sss-certmap.5.xml:156
 8175 msgid "clientAuth"
 8176 msgstr ""
 8177 
 8178 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8179 #: sss-certmap.5.xml:157
 8180 msgid "codeSigning"
 8181 msgstr ""
 8182 
 8183 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8184 #: sss-certmap.5.xml:158
 8185 msgid "emailProtection"
 8186 msgstr ""
 8187 
 8188 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8189 #: sss-certmap.5.xml:159
 8190 msgid "timeStamping"
 8191 msgstr ""
 8192 
 8193 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8194 #: sss-certmap.5.xml:160
 8195 msgid "OCSPSigning"
 8196 msgstr ""
 8197 
 8198 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8199 #: sss-certmap.5.xml:161
 8200 msgid "KPClientAuth"
 8201 msgstr ""
 8202 
 8203 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8204 #: sss-certmap.5.xml:162
 8205 msgid "pkinit"
 8206 msgstr ""
 8207 
 8208 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 8209 #: sss-certmap.5.xml:163
 8210 msgid "msScLogin"
 8211 msgstr ""
 8212 
 8213 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8214 #: sss-certmap.5.xml:167
 8215 msgid ""
 8216 "Extended key usages which are not listed above can be specified with their "
 8217 "OID in dotted-decimal notation."
 8218 msgstr ""
 8219 
 8220 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8221 #: sss-certmap.5.xml:171
 8222 msgid "Example: &lt;EKU&gt;clientAuth,1.3.6.1.5.2.3.4"
 8223 msgstr ""
 8224 
 8225 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8226 #: sss-certmap.5.xml:176
 8227 msgid "&lt;SAN&gt;regular-expression"
 8228 msgstr ""
 8229 
 8230 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8231 #: sss-certmap.5.xml:179
 8232 msgid ""
 8233 "To be compatible with the usage of MIT Kerberos this option will match the "
 8234 "Kerberos principals in the PKINIT or AD NT Principal SAN as "
 8235 "&lt;SAN:Principal&gt; does."
 8236 msgstr ""
 8237 
 8238 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8239 #: sss-certmap.5.xml:184
 8240 msgid "Example: &lt;SAN&gt;.*@MY\\.REALM"
 8241 msgstr ""
 8242 
 8243 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8244 #: sss-certmap.5.xml:189
 8245 msgid "&lt;SAN:Principal&gt;regular-expression"
 8246 msgstr ""
 8247 
 8248 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8249 #: sss-certmap.5.xml:192
 8250 msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN."
 8251 msgstr ""
 8252 
 8253 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8254 #: sss-certmap.5.xml:196
 8255 msgid "Example: &lt;SAN:Principal&gt;.*@MY\\.REALM"
 8256 msgstr ""
 8257 
 8258 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8259 #: sss-certmap.5.xml:201
 8260 msgid "&lt;SAN:ntPrincipalName&gt;regular-expression"
 8261 msgstr ""
 8262 
 8263 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8264 #: sss-certmap.5.xml:204
 8265 msgid "Match the Kerberos principals from the AD NT Principal SAN."
 8266 msgstr ""
 8267 
 8268 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8269 #: sss-certmap.5.xml:208
 8270 msgid "Example: &lt;SAN:ntPrincipalName&gt;.*@MY.AD.REALM"
 8271 msgstr ""
 8272 
 8273 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8274 #: sss-certmap.5.xml:213
 8275 msgid "&lt;SAN:pkinit&gt;regular-expression"
 8276 msgstr ""
 8277 
 8278 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8279 #: sss-certmap.5.xml:216
 8280 msgid "Match the Kerberos principals from the PKINIT SAN."
 8281 msgstr ""
 8282 
 8283 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8284 #: sss-certmap.5.xml:219
 8285 msgid "Example: &lt;SAN:ntPrincipalName&gt;.*@MY\\.PKINIT\\.REALM"
 8286 msgstr ""
 8287 
 8288 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8289 #: sss-certmap.5.xml:224
 8290 msgid "&lt;SAN:dotted-decimal-oid&gt;regular-expression"
 8291 msgstr ""
 8292 
 8293 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8294 #: sss-certmap.5.xml:227
 8295 msgid ""
 8296 "Take the value of the otherName SAN component given by the OID in "
 8297 "dotted-decimal notation, interpret it as string and try to match it against "
 8298 "the regular expression."
 8299 msgstr ""
 8300 
 8301 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8302 #: sss-certmap.5.xml:233
 8303 msgid "Example: &lt;SAN:1.2.3.4&gt;test"
 8304 msgstr ""
 8305 
 8306 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8307 #: sss-certmap.5.xml:238
 8308 msgid "&lt;SAN:otherName&gt;base64-string"
 8309 msgstr ""
 8310 
 8311 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8312 #: sss-certmap.5.xml:241
 8313 msgid ""
 8314 "Do a binary match with the base64 encoded blob against all otherName SAN "
 8315 "components. With this option it is possible to match against custom "
 8316 "otherName components with special encodings which could not be treated as "
 8317 "strings."
 8318 msgstr ""
 8319 
 8320 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8321 #: sss-certmap.5.xml:248
 8322 msgid "Example: &lt;SAN:otherName&gt;MTIz"
 8323 msgstr ""
 8324 
 8325 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8326 #: sss-certmap.5.xml:253
 8327 msgid "&lt;SAN:rfc822Name&gt;regular-expression"
 8328 msgstr ""
 8329 
 8330 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8331 #: sss-certmap.5.xml:256
 8332 msgid "Match the value of the rfc822Name SAN."
 8333 msgstr ""
 8334 
 8335 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8336 #: sss-certmap.5.xml:259
 8337 msgid "Example: &lt;SAN:rfc822Name&gt;.*@email\\.domain"
 8338 msgstr ""
 8339 
 8340 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8341 #: sss-certmap.5.xml:264
 8342 msgid "&lt;SAN:dNSName&gt;regular-expression"
 8343 msgstr ""
 8344 
 8345 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8346 #: sss-certmap.5.xml:267
 8347 msgid "Match the value of the dNSName SAN."
 8348 msgstr ""
 8349 
 8350 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8351 #: sss-certmap.5.xml:270
 8352 msgid "Example: &lt;SAN:dNSName&gt;.*\\.my\\.dns\\.domain"
 8353 msgstr ""
 8354 
 8355 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8356 #: sss-certmap.5.xml:275
 8357 msgid "&lt;SAN:x400Address&gt;base64-string"
 8358 msgstr ""
 8359 
 8360 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8361 #: sss-certmap.5.xml:278
 8362 msgid "Binary match the value of the x400Address SAN."
 8363 msgstr ""
 8364 
 8365 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8366 #: sss-certmap.5.xml:281
 8367 msgid "Example: &lt;SAN:x400Address&gt;MTIz"
 8368 msgstr ""
 8369 
 8370 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8371 #: sss-certmap.5.xml:286
 8372 msgid "&lt;SAN:directoryName&gt;regular-expression"
 8373 msgstr ""
 8374 
 8375 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8376 #: sss-certmap.5.xml:289
 8377 msgid ""
 8378 "Match the value of the directoryName SAN. The same comments as given for "
 8379 "&lt;ISSUER&gt; and &lt;SUBJECT&gt; apply here as well."
 8380 msgstr ""
 8381 
 8382 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8383 #: sss-certmap.5.xml:294
 8384 msgid "Example: &lt;SAN:directoryName&gt;.*,DC=com"
 8385 msgstr ""
 8386 
 8387 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8388 #: sss-certmap.5.xml:299
 8389 msgid "&lt;SAN:ediPartyName&gt;base64-string"
 8390 msgstr ""
 8391 
 8392 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8393 #: sss-certmap.5.xml:302
 8394 msgid "Binary match the value of the ediPartyName SAN."
 8395 msgstr ""
 8396 
 8397 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8398 #: sss-certmap.5.xml:305
 8399 msgid "Example: &lt;SAN:ediPartyName&gt;MTIz"
 8400 msgstr ""
 8401 
 8402 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8403 #: sss-certmap.5.xml:310
 8404 msgid "&lt;SAN:uniformResourceIdentifier&gt;regular-expression"
 8405 msgstr ""
 8406 
 8407 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8408 #: sss-certmap.5.xml:313
 8409 msgid "Match the value of the uniformResourceIdentifier SAN."
 8410 msgstr ""
 8411 
 8412 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8413 #: sss-certmap.5.xml:316
 8414 msgid "Example: &lt;SAN:uniformResourceIdentifier&gt;URN:.*"
 8415 msgstr ""
 8416 
 8417 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8418 #: sss-certmap.5.xml:321
 8419 msgid "&lt;SAN:iPAddress&gt;regular-expression"
 8420 msgstr ""
 8421 
 8422 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8423 #: sss-certmap.5.xml:324
 8424 msgid "Match the value of the iPAddress SAN."
 8425 msgstr ""
 8426 
 8427 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8428 #: sss-certmap.5.xml:327
 8429 msgid "Example: &lt;SAN:iPAddress&gt;192\\.168\\..*"
 8430 msgstr ""
 8431 
 8432 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8433 #: sss-certmap.5.xml:332
 8434 msgid "&lt;SAN:registeredID&gt;regular-expression"
 8435 msgstr ""
 8436 
 8437 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8438 #: sss-certmap.5.xml:335
 8439 msgid "Match the value of the registeredID SAN as dotted-decimal string."
 8440 msgstr ""
 8441 
 8442 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8443 #: sss-certmap.5.xml:339
 8444 msgid "Example: &lt;SAN:registeredID&gt;1\\.2\\.3\\..*"
 8445 msgstr ""
 8446 
 8447 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8448 #: sss-certmap.5.xml:68
 8449 msgid "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
 8450 msgstr ""
 8451 
 8452 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 8453 #: sss-certmap.5.xml:347
 8454 msgid "MAPPING RULE"
 8455 msgstr ""
 8456 
 8457 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8458 #: sss-certmap.5.xml:349
 8459 msgid ""
 8460 "The mapping rule is used to associate a certificate with one or more "
 8461 "accounts. A Smartcard with the certificate and the matching private key can "
 8462 "then be used to authenticate as one of those accounts."
 8463 msgstr ""
 8464 
 8465 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8466 #: sss-certmap.5.xml:354
 8467 msgid ""
 8468 "Currently SSSD basically only supports LDAP to lookup user information (the "
 8469 "exception is the proxy provider which is not of relevance here). Because of "
 8470 "this the mapping rule is based on LDAP search filter syntax with templates "
 8471 "to add certificate content to the filter. It is expected that the filter "
 8472 "will only contain the specific data needed for the mapping and that the "
 8473 "caller will embed it in another filter to do the actual search. Because of "
 8474 "this the filter string should start and stop with '(' and ')' respectively."
 8475 msgstr ""
 8476 
 8477 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8478 #: sss-certmap.5.xml:364
 8479 msgid ""
 8480 "In general it is recommended to use attributes from the certificate and add "
 8481 "them to special attributes to the LDAP user object. E.g. the "
 8482 "'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute "
 8483 "for IPA can be used."
 8484 msgstr ""
 8485 
 8486 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8487 #: sss-certmap.5.xml:370
 8488 msgid ""
 8489 "This should be preferred to read user specific data from the certificate "
 8490 "like e.g. an email address and search for it in the LDAP server. The reason "
 8491 "is that the user specific data in LDAP might change for various reasons "
 8492 "would break the mapping. On the other hand it would be hard to break the "
 8493 "mapping on purpose for a specific user."
 8494 msgstr ""
 8495 
 8496 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8497 #: sss-certmap.5.xml:385
 8498 msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
 8499 msgstr ""
 8500 
 8501 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8502 #: sss-certmap.5.xml:388
 8503 msgid ""
 8504 "This template will add the full issuer DN converted to a string according to "
 8505 "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with "
 8506 "the '_x500' prefix should be used."
 8507 msgstr ""
 8508 
 8509 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8510 #: sss-certmap.5.xml:394 sss-certmap.5.xml:420
 8511 msgid ""
 8512 "The conversion options starting with 'ad_' will use attribute names as used "
 8513 "by AD, e.g. 'S' instead of 'ST'."
 8514 msgstr ""
 8515 
 8516 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8517 #: sss-certmap.5.xml:398 sss-certmap.5.xml:424
 8518 msgid ""
 8519 "The conversion options starting with 'nss_' will use attribute names as used "
 8520 "by NSS."
 8521 msgstr ""
 8522 
 8523 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8524 #: sss-certmap.5.xml:402 sss-certmap.5.xml:428
 8525 msgid ""
 8526 "The default conversion option is 'nss', i.e. attribute names according to "
 8527 "NSS and LDAP/RFC 4514 ordering."
 8528 msgstr ""
 8529 
 8530 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8531 #: sss-certmap.5.xml:406
 8532 msgid ""
 8533 "Example: "
 8534 "(ipacertmapdata=X509:&lt;I&gt;{issuer_dn!ad}&lt;S&gt;{subject_dn!ad})"
 8535 msgstr ""
 8536 
 8537 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8538 #: sss-certmap.5.xml:411
 8539 msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
 8540 msgstr ""
 8541 
 8542 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8543 #: sss-certmap.5.xml:414
 8544 msgid ""
 8545 "This template will add the full subject DN converted to string according to "
 8546 "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with "
 8547 "the '_x500' prefix should be used."
 8548 msgstr ""
 8549 
 8550 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8551 #: sss-certmap.5.xml:432
 8552 msgid ""
 8553 "Example: "
 8554 "(ipacertmapdata=X509:&lt;I&gt;{issuer_dn!nss_x500}&lt;S&gt;{subject_dn!nss_x500})"
 8555 msgstr ""
 8556 
 8557 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8558 #: sss-certmap.5.xml:437
 8559 msgid "{cert[!(bin|base64)]}"
 8560 msgstr ""
 8561 
 8562 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8563 #: sss-certmap.5.xml:440
 8564 msgid ""
 8565 "This template will add the whole DER encoded certificate as a string to the "
 8566 "search filter. Depending on the conversion option the binary certificate is "
 8567 "either converted to an escaped hex sequence '\\xx' or base64.  The escaped "
 8568 "hex sequence is the default and can e.g. be used with the LDAP attribute "
 8569 "'userCertificate;binary'."
 8570 msgstr ""
 8571 
 8572 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8573 #: sss-certmap.5.xml:448
 8574 msgid "Example: (userCertificate;binary={cert!bin})"
 8575 msgstr ""
 8576 
 8577 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8578 #: sss-certmap.5.xml:453
 8579 msgid "{subject_principal[.short_name]}"
 8580 msgstr ""
 8581 
 8582 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8583 #: sss-certmap.5.xml:456
 8584 msgid ""
 8585 "This template will add the Kerberos principal which is taken either from the "
 8586 "SAN used by pkinit or the one used by AD. The 'short_name' component "
 8587 "represents the first part of the principal before the '@' sign."
 8588 msgstr ""
 8589 
 8590 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8591 #: sss-certmap.5.xml:462
 8592 msgid ""
 8593 "Example: "
 8594 "(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))"
 8595 msgstr ""
 8596 
 8597 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8598 #: sss-certmap.5.xml:467
 8599 msgid "{subject_pkinit_principal[.short_name]}"
 8600 msgstr ""
 8601 
 8602 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8603 #: sss-certmap.5.xml:470
 8604 msgid ""
 8605 "This template will add the Kerberos principal which is given by the SAN used "
 8606 "by pkinit. The 'short_name' component represents the first part of the "
 8607 "principal before the '@' sign."
 8608 msgstr ""
 8609 
 8610 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8611 #: sss-certmap.5.xml:476
 8612 msgid ""
 8613 "Example: "
 8614 "(|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name}))"
 8615 msgstr ""
 8616 
 8617 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8618 #: sss-certmap.5.xml:481
 8619 msgid "{subject_nt_principal[.short_name]}"
 8620 msgstr ""
 8621 
 8622 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8623 #: sss-certmap.5.xml:484
 8624 msgid ""
 8625 "This template will add the Kerberos principal which is given by the SAN used "
 8626 "by AD. The 'short_name' component represent the first part of the principal "
 8627 "before the '@' sign."
 8628 msgstr ""
 8629 
 8630 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8631 #: sss-certmap.5.xml:490
 8632 msgid ""
 8633 "Example: "
 8634 "(|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name}))"
 8635 msgstr ""
 8636 
 8637 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8638 #: sss-certmap.5.xml:495
 8639 msgid "{subject_rfc822_name[.short_name]}"
 8640 msgstr ""
 8641 
 8642 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8643 #: sss-certmap.5.xml:498
 8644 msgid ""
 8645 "This template will add the string which is stored in the rfc822Name "
 8646 "component of the SAN, typically an email address. The 'short_name' component "
 8647 "represents the first part of the address before the '@' sign."
 8648 msgstr ""
 8649 
 8650 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8651 #: sss-certmap.5.xml:504
 8652 msgid ""
 8653 "Example: "
 8654 "(|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name}))"
 8655 msgstr ""
 8656 
 8657 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8658 #: sss-certmap.5.xml:509
 8659 msgid "{subject_dns_name[.short_name]}"
 8660 msgstr ""
 8661 
 8662 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8663 #: sss-certmap.5.xml:512
 8664 msgid ""
 8665 "This template will add the string which is stored in the dNSName component "
 8666 "of the SAN, typically a fully-qualified host name.  The 'short_name' "
 8667 "component represents the first part of the name before the first '.' sign."
 8668 msgstr ""
 8669 
 8670 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8671 #: sss-certmap.5.xml:518
 8672 msgid "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))"
 8673 msgstr ""
 8674 
 8675 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8676 #: sss-certmap.5.xml:523
 8677 msgid "{subject_uri}"
 8678 msgstr ""
 8679 
 8680 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8681 #: sss-certmap.5.xml:526
 8682 msgid ""
 8683 "This template will add the string which is stored in the "
 8684 "uniformResourceIdentifier component of the SAN."
 8685 msgstr ""
 8686 
 8687 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8688 #: sss-certmap.5.xml:530
 8689 msgid "Example: (uri={subject_uri})"
 8690 msgstr ""
 8691 
 8692 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8693 #: sss-certmap.5.xml:535
 8694 msgid "{subject_ip_address}"
 8695 msgstr ""
 8696 
 8697 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8698 #: sss-certmap.5.xml:538
 8699 msgid ""
 8700 "This template will add the string which is stored in the iPAddress component "
 8701 "of the SAN."
 8702 msgstr ""
 8703 
 8704 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8705 #: sss-certmap.5.xml:542
 8706 msgid "Example: (ip={subject_ip_address})"
 8707 msgstr ""
 8708 
 8709 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8710 #: sss-certmap.5.xml:547
 8711 msgid "{subject_x400_address}"
 8712 msgstr ""
 8713 
 8714 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8715 #: sss-certmap.5.xml:550
 8716 msgid ""
 8717 "This template will add the value which is stored in the x400Address "
 8718 "component of the SAN as escaped hex sequence."
 8719 msgstr ""
 8720 
 8721 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8722 #: sss-certmap.5.xml:555
 8723 msgid "Example: (attr:binary={subject_x400_address})"
 8724 msgstr ""
 8725 
 8726 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8727 #: sss-certmap.5.xml:560
 8728 msgid "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
 8729 msgstr ""
 8730 
 8731 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8732 #: sss-certmap.5.xml:563
 8733 msgid ""
 8734 "This template will add the DN string of the value which is stored in the "
 8735 "directoryName component of the SAN."
 8736 msgstr ""
 8737 
 8738 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8739 #: sss-certmap.5.xml:567
 8740 msgid "Example: (orig_dn={subject_directory_name})"
 8741 msgstr ""
 8742 
 8743 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8744 #: sss-certmap.5.xml:572
 8745 msgid "{subject_ediparty_name}"
 8746 msgstr ""
 8747 
 8748 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8749 #: sss-certmap.5.xml:575
 8750 msgid ""
 8751 "This template will add the value which is stored in the ediPartyName "
 8752 "component of the SAN as escaped hex sequence."
 8753 msgstr ""
 8754 
 8755 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8756 #: sss-certmap.5.xml:580
 8757 msgid "Example: (attr:binary={subject_ediparty_name})"
 8758 msgstr ""
 8759 
 8760 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 8761 #: sss-certmap.5.xml:585
 8762 msgid "{subject_registered_id}"
 8763 msgstr ""
 8764 
 8765 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8766 #: sss-certmap.5.xml:588
 8767 msgid ""
 8768 "This template will add the OID which is stored in the registeredID component "
 8769 "of the SAN as a dotted-decimal string."
 8770 msgstr ""
 8771 
 8772 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 8773 #: sss-certmap.5.xml:593
 8774 msgid "Example: (oid={subject_registered_id})"
 8775 msgstr ""
 8776 
 8777 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8778 #: sss-certmap.5.xml:378
 8779 msgid ""
 8780 "The templates to add certificate data to the search filter are based on "
 8781 "Python-style formatting strings. They consist of a keyword in curly braces "
 8782 "with an optional sub-component specifier separated by a '.' or an optional "
 8783 "conversion/formatting option separated by a '!'.  Allowed values are: "
 8784 "<placeholder type=\"variablelist\" id=\"0\"/>"
 8785 msgstr ""
 8786 
 8787 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 8788 #: sss-certmap.5.xml:601
 8789 msgid "DOMAIN LIST"
 8790 msgstr ""
 8791 
 8792 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 8793 #: sss-certmap.5.xml:603
 8794 msgid ""
 8795 "If the domain list is not empty users mapped to a given certificate are not "
 8796 "only searched in the local domain but in the listed domains as well as long "
 8797 "as they are know by SSSD. Domains not know to SSSD will be ignored."
 8798 msgstr ""
 8799 
 8800 #. type: Content of: <reference><refentry><refnamediv><refname>
 8801 #: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
 8802 msgid "sssd-ipa"
 8803 msgstr ""
 8804 
 8805 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 8806 #: sssd-ipa.5.xml:17
 8807 msgid "SSSD IPA provider"
 8808 msgstr ""
 8809 
 8810 #. type: Content of: <reference><refentry><refsect1><para>
 8811 #: sssd-ipa.5.xml:23
 8812 msgid ""
 8813 "This manual page describes the configuration of the IPA provider for "
 8814 "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
 8815 "</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
 8816 "FORMAT</quote> section of the <citerefentry> "
 8817 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
 8818 "</citerefentry> manual page."
 8819 msgstr ""
 8820 
 8821 #. type: Content of: <reference><refentry><refsect1><para>
 8822 #: sssd-ipa.5.xml:36
 8823 msgid ""
 8824 "The IPA provider is a back end used to connect to an IPA server.  (Refer to "
 8825 "the freeipa.org web site for information about IPA servers.)  This provider "
 8826 "requires that the machine be joined to the IPA domain; configuration is "
 8827 "almost entirely self-discovered and obtained directly from the server."
 8828 msgstr ""
 8829 
 8830 #. type: Content of: <reference><refentry><refsect1><para>
 8831 #: sssd-ipa.5.xml:43
 8832 msgid ""
 8833 "The IPA provider enables SSSD to use the <citerefentry> "
 8834 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
 8835 "</citerefentry> identity provider and the <citerefentry> "
 8836 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
 8837 "</citerefentry> authentication provider with optimizations for IPA "
 8838 "environments. The IPA provider accepts the same options used by the "
 8839 "sssd-ldap and sssd-krb5 providers with some exceptions. However, it is "
 8840 "neither necessary nor recommended to set these options."
 8841 msgstr ""
 8842 
 8843 #. type: Content of: <reference><refentry><refsect1><para>
 8844 #: sssd-ipa.5.xml:57
 8845 msgid ""
 8846 "The IPA provider primarily copies the traditional ldap and krb5 provider "
 8847 "default options with some exceptions, the differences are listed in the "
 8848 "<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 8849 msgstr ""
 8850 
 8851 #. type: Content of: <reference><refentry><refsect1><para>
 8852 #: sssd-ipa.5.xml:62
 8853 msgid ""
 8854 "As an access provider, the IPA provider uses HBAC (host-based access "
 8855 "control)  rules. Please refer to freeipa.org for more information about "
 8856 "HBAC. No configuration of access provider is required on the client side."
 8857 msgstr ""
 8858 
 8859 #. type: Content of: <reference><refentry><refsect1><para>
 8860 #: sssd-ipa.5.xml:67
 8861 msgid ""
 8862 "If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is "
 8863 "configured in sssd.conf then the id_provider must also be set to "
 8864 "<quote>ipa</quote>."
 8865 msgstr ""
 8866 
 8867 #. type: Content of: <reference><refentry><refsect1><para>
 8868 #: sssd-ipa.5.xml:73
 8869 msgid ""
 8870 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 8871 "from trusted realms contain a PAC. To make configuration easier the PAC "
 8872 "responder is started automatically if the IPA ID provider is configured."
 8873 msgstr ""
 8874 
 8875 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 8876 #: sssd-ipa.5.xml:89
 8877 msgid "ipa_domain (string)"
 8878 msgstr ""
 8879 
 8880 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8881 #: sssd-ipa.5.xml:92
 8882 msgid ""
 8883 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 8884 "the configuration domain name is used."
 8885 msgstr ""
 8886 
 8887 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 8888 #: sssd-ipa.5.xml:100
 8889 msgid "ipa_server, ipa_backup_server (string)"
 8890 msgstr ""
 8891 
 8892 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8893 #: sssd-ipa.5.xml:103
 8894 msgid ""
 8895 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 8896 "which SSSD should connect in the order of preference. For more information "
 8897 "on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
 8898 "This is optional if autodiscovery is enabled.  For more information on "
 8899 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 8900 msgstr ""
 8901 
 8902 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 8903 #: sssd-ipa.5.xml:116
 8904 msgid "ipa_hostname (string)"
 8905 msgstr ""
 8906 
 8907 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8908 #: sssd-ipa.5.xml:119
 8909 msgid ""
 8910 "Optional. May be set on machines where the hostname(5) does not reflect the "
 8911 "fully qualified name used in the IPA domain to identify this host.  The "
 8912 "hostname must be fully qualified."
 8913 msgstr ""
 8914 
 8915 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 8916 #: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
 8917 msgid "dyndns_update (boolean)"
 8918 msgstr ""
 8919 
 8920 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8921 #: sssd-ipa.5.xml:131
 8922 msgid ""
 8923 "Optional. This option tells SSSD to automatically update the DNS server "
 8924 "built into FreeIPA with the IP address of this client. The update is secured "
 8925 "using GSS-TSIG. The IP address of the IPA LDAP connection is used for the "
 8926 "updates, if it is not otherwise specified by using the "
 8927 "<quote>dyndns_iface</quote> option."
 8928 msgstr ""
 8929 
 8930 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8931 #: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
 8932 msgid ""
 8933 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 8934 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 8935 msgstr ""
 8936 
 8937 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8938 #: sssd-ipa.5.xml:145
 8939 msgid ""
 8940 "NOTE: While it is still possible to use the old "
 8941 "<emphasis>ipa_dyndns_update</emphasis> option, users should migrate to using "
 8942 "<emphasis>dyndns_update</emphasis> in their config file."
 8943 msgstr ""
 8944 
 8945 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 8946 #: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
 8947 msgid "dyndns_ttl (integer)"
 8948 msgstr ""
 8949 
 8950 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8951 #: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
 8952 msgid ""
 8953 "The TTL to apply to the client DNS record when updating it.  If "
 8954 "dyndns_update is false this has no effect. This will override the TTL "
 8955 "serverside if set by an administrator."
 8956 msgstr ""
 8957 
 8958 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8959 #: sssd-ipa.5.xml:165
 8960 msgid ""
 8961 "NOTE: While it is still possible to use the old "
 8962 "<emphasis>ipa_dyndns_ttl</emphasis> option, users should migrate to using "
 8963 "<emphasis>dyndns_ttl</emphasis> in their config file."
 8964 msgstr ""
 8965 
 8966 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8967 #: sssd-ipa.5.xml:171
 8968 msgid "Default: 1200 (seconds)"
 8969 msgstr ""
 8970 
 8971 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 8972 #: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
 8973 msgid "dyndns_iface (string)"
 8974 msgstr ""
 8975 
 8976 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8977 #: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
 8978 msgid ""
 8979 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 8980 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
 8981 "updates. Special value <quote>*</quote> implies that IPs from all interfaces "
 8982 "should be used."
 8983 msgstr ""
 8984 
 8985 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8986 #: sssd-ipa.5.xml:187
 8987 msgid ""
 8988 "NOTE: While it is still possible to use the old "
 8989 "<emphasis>ipa_dyndns_iface</emphasis> option, users should migrate to using "
 8990 "<emphasis>dyndns_iface</emphasis> in their config file."
 8991 msgstr ""
 8992 
 8993 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 8994 #: sssd-ipa.5.xml:193
 8995 msgid ""
 8996 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 8997 "connection"
 8998 msgstr ""
 8999 
 9000 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9001 #: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
 9002 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 9003 msgstr ""
 9004 
 9005 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9006 #: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
 9007 msgid "dyndns_auth (string)"
 9008 msgstr ""
 9009 
 9010 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9011 #: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
 9012 msgid ""
 9013 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 9014 "updates with the DNS server, insecure updates can be sent by setting this "
 9015 "option to 'none'."
 9016 msgstr ""
 9017 
 9018 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9019 #: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
 9020 msgid "Default: GSS-TSIG"
 9021 msgstr ""
 9022 
 9023 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9024 #: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
 9025 msgid "dyndns_auth_ptr (string)"
 9026 msgstr ""
 9027 
 9028 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9029 #: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
 9030 msgid ""
 9031 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 9032 "PTR updates with the DNS server, insecure updates can be sent by setting "
 9033 "this option to 'none'."
 9034 msgstr ""
 9035 
 9036 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9037 #: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
 9038 msgid "Default: Same as dyndns_auth"
 9039 msgstr ""
 9040 
 9041 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9042 #: sssd-ipa.5.xml:233
 9043 msgid "ipa_enable_dns_sites (boolean)"
 9044 msgstr ""
 9045 
 9046 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9047 #: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
 9048 msgid "Enables DNS sites - location based service discovery."
 9049 msgstr ""
 9050 
 9051 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9052 #: sssd-ipa.5.xml:240
 9053 msgid ""
 9054 "If true and service discovery (see Service Discovery paragraph at the bottom "
 9055 "of the man page)  is enabled, then the SSSD will first attempt location "
 9056 "based discovery using a query that contains "
 9057 "\"_location.hostname.example.com\" and then fall back to traditional SRV "
 9058 "discovery. If the location based discovery succeeds, the IPA servers located "
 9059 "with the location based discovery are treated as primary servers and the IPA "
 9060 "servers located using the traditional SRV discovery are used as back up "
 9061 "servers"
 9062 msgstr ""
 9063 
 9064 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9065 #: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
 9066 msgid "dyndns_refresh_interval (integer)"
 9067 msgstr ""
 9068 
 9069 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9070 #: sssd-ipa.5.xml:262
 9071 msgid ""
 9072 "How often should the back end perform periodic DNS update in addition to the "
 9073 "automatic update performed when the back end goes online.  This option is "
 9074 "optional and applicable only when dyndns_update is true."
 9075 msgstr ""
 9076 
 9077 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9078 #: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
 9079 msgid "dyndns_update_ptr (bool)"
 9080 msgstr ""
 9081 
 9082 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9083 #: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
 9084 msgid ""
 9085 "Whether the PTR record should also be explicitly updated when updating the "
 9086 "client's DNS records.  Applicable only when dyndns_update is true."
 9087 msgstr ""
 9088 
 9089 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9090 #: sssd-ipa.5.xml:283
 9091 msgid ""
 9092 "This option should be False in most IPA deployments as the IPA server "
 9093 "generates the PTR records automatically when forward records are changed."
 9094 msgstr ""
 9095 
 9096 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9097 #: sssd-ipa.5.xml:289
 9098 msgid "Default: False (disabled)"
 9099 msgstr ""
 9100 
 9101 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9102 #: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
 9103 msgid "dyndns_force_tcp (bool)"
 9104 msgstr ""
 9105 
 9106 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9107 #: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
 9108 msgid ""
 9109 "Whether the nsupdate utility should default to using TCP for communicating "
 9110 "with the DNS server."
 9111 msgstr ""
 9112 
 9113 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9114 #: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
 9115 msgid "Default: False (let nsupdate choose the protocol)"
 9116 msgstr ""
 9117 
 9118 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9119 #: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
 9120 msgid "dyndns_server (string)"
 9121 msgstr ""
 9122 
 9123 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9124 #: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
 9125 msgid ""
 9126 "The DNS server to use when performing a DNS update. In most setups, it's "
 9127 "recommended to leave this option unset."
 9128 msgstr ""
 9129 
 9130 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9131 #: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
 9132 msgid ""
 9133 "Setting this option makes sense for environments where the DNS server is "
 9134 "different from the identity server."
 9135 msgstr ""
 9136 
 9137 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9138 #: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
 9139 msgid ""
 9140 "Please note that this option will be only used in fallback attempt when "
 9141 "previous attempt using autodetected settings failed."
 9142 msgstr ""
 9143 
 9144 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9145 #: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
 9146 msgid "Default: None (let nsupdate choose the server)"
 9147 msgstr ""
 9148 
 9149 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9150 #: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
 9151 msgid "dyndns_update_per_family (boolean)"
 9152 msgstr ""
 9153 
 9154 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9155 #: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
 9156 msgid ""
 9157 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 9158 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
 9159 "in single step."
 9160 msgstr ""
 9161 
 9162 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9163 #: sssd-ipa.5.xml:347
 9164 msgid "ipa_deskprofile_search_base (string)"
 9165 msgstr ""
 9166 
 9167 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9168 #: sssd-ipa.5.xml:350
 9169 msgid ""
 9170 "Optional. Use the given string as search base for Desktop Profile related "
 9171 "objects."
 9172 msgstr ""
 9173 
 9174 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9175 #: sssd-ipa.5.xml:354 sssd-ipa.5.xml:367
 9176 msgid "Default: Use base DN"
 9177 msgstr ""
 9178 
 9179 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9180 #: sssd-ipa.5.xml:360
 9181 msgid "ipa_hbac_search_base (string)"
 9182 msgstr ""
 9183 
 9184 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9185 #: sssd-ipa.5.xml:363
 9186 msgid "Optional. Use the given string as search base for HBAC related objects."
 9187 msgstr ""
 9188 
 9189 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9190 #: sssd-ipa.5.xml:373
 9191 msgid "ipa_host_search_base (string)"
 9192 msgstr ""
 9193 
 9194 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9195 #: sssd-ipa.5.xml:376
 9196 msgid "Deprecated. Use ldap_host_search_base instead."
 9197 msgstr ""
 9198 
 9199 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9200 #: sssd-ipa.5.xml:382
 9201 msgid "ipa_selinux_search_base (string)"
 9202 msgstr ""
 9203 
 9204 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9205 #: sssd-ipa.5.xml:385
 9206 msgid "Optional. Use the given string as search base for SELinux user maps."
 9207 msgstr ""
 9208 
 9209 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9210 #: sssd-ipa.5.xml:401
 9211 msgid "ipa_subdomains_search_base (string)"
 9212 msgstr ""
 9213 
 9214 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9215 #: sssd-ipa.5.xml:404
 9216 msgid "Optional. Use the given string as search base for trusted domains."
 9217 msgstr ""
 9218 
 9219 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9220 #: sssd-ipa.5.xml:413
 9221 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 9222 msgstr ""
 9223 
 9224 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9225 #: sssd-ipa.5.xml:420
 9226 msgid "ipa_master_domain_search_base (string)"
 9227 msgstr ""
 9228 
 9229 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9230 #: sssd-ipa.5.xml:423
 9231 msgid "Optional. Use the given string as search base for master domain object."
 9232 msgstr ""
 9233 
 9234 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9235 #: sssd-ipa.5.xml:432
 9236 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 9237 msgstr ""
 9238 
 9239 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9240 #: sssd-ipa.5.xml:439
 9241 msgid "ipa_views_search_base (string)"
 9242 msgstr ""
 9243 
 9244 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9245 #: sssd-ipa.5.xml:442
 9246 msgid "Optional. Use the given string as search base for views containers."
 9247 msgstr ""
 9248 
 9249 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9250 #: sssd-ipa.5.xml:451
 9251 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 9252 msgstr ""
 9253 
 9254 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9255 #: sssd-ipa.5.xml:461
 9256 msgid ""
 9257 "The name of the Kerberos realm. This is optional and defaults to the value "
 9258 "of <quote>ipa_domain</quote>."
 9259 msgstr ""
 9260 
 9261 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9262 #: sssd-ipa.5.xml:465
 9263 msgid ""
 9264 "The name of the Kerberos realm has a special meaning in IPA - it is "
 9265 "converted into the base DN to use for performing LDAP operations."
 9266 msgstr ""
 9267 
 9268 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9269 #: sssd-ipa.5.xml:473 sssd-ad.5.xml:1334
 9270 msgid "krb5_confd_path (string)"
 9271 msgstr ""
 9272 
 9273 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9274 #: sssd-ipa.5.xml:476 sssd-ad.5.xml:1337
 9275 msgid ""
 9276 "Absolute path of a directory where SSSD should place Kerberos configuration "
 9277 "snippets."
 9278 msgstr ""
 9279 
 9280 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9281 #: sssd-ipa.5.xml:480 sssd-ad.5.xml:1341
 9282 msgid ""
 9283 "To disable the creation of the configuration snippets set the parameter to "
 9284 "'none'."
 9285 msgstr ""
 9286 
 9287 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9288 #: sssd-ipa.5.xml:484 sssd-ad.5.xml:1345
 9289 msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 9290 msgstr ""
 9291 
 9292 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9293 #: sssd-ipa.5.xml:491
 9294 msgid "ipa_deskprofile_refresh (integer)"
 9295 msgstr ""
 9296 
 9297 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9298 #: sssd-ipa.5.xml:494
 9299 msgid ""
 9300 "The amount of time between lookups of the Desktop Profile rules against the "
 9301 "IPA server. This will reduce the latency and load on the IPA server if there "
 9302 "are many desktop profiles requests made in a short period."
 9303 msgstr ""
 9304 
 9305 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9306 #: sssd-ipa.5.xml:501 sssd-ipa.5.xml:531 sssd-ipa.5.xml:547 sssd-ad.5.xml:576
 9307 msgid "Default: 5 (seconds)"
 9308 msgstr ""
 9309 
 9310 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9311 #: sssd-ipa.5.xml:507
 9312 msgid "ipa_deskprofile_request_interval (integer)"
 9313 msgstr ""
 9314 
 9315 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9316 #: sssd-ipa.5.xml:510
 9317 msgid ""
 9318 "The amount of time between lookups of the Desktop Profile rules against the "
 9319 "IPA server in case the last request did not return any rule."
 9320 msgstr ""
 9321 
 9322 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9323 #: sssd-ipa.5.xml:515
 9324 msgid "Default: 60 (minutes)"
 9325 msgstr ""
 9326 
 9327 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9328 #: sssd-ipa.5.xml:521
 9329 msgid "ipa_hbac_refresh (integer)"
 9330 msgstr ""
 9331 
 9332 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9333 #: sssd-ipa.5.xml:524
 9334 msgid ""
 9335 "The amount of time between lookups of the HBAC rules against the IPA "
 9336 "server. This will reduce the latency and load on the IPA server if there are "
 9337 "many access-control requests made in a short period."
 9338 msgstr ""
 9339 
 9340 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9341 #: sssd-ipa.5.xml:537
 9342 msgid "ipa_hbac_selinux (integer)"
 9343 msgstr ""
 9344 
 9345 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9346 #: sssd-ipa.5.xml:540
 9347 msgid ""
 9348 "The amount of time between lookups of the SELinux maps against the IPA "
 9349 "server. This will reduce the latency and load on the IPA server if there are "
 9350 "many user login requests made in a short period."
 9351 msgstr ""
 9352 
 9353 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9354 #: sssd-ipa.5.xml:553
 9355 msgid "ipa_server_mode (boolean)"
 9356 msgstr ""
 9357 
 9358 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9359 #: sssd-ipa.5.xml:556
 9360 msgid ""
 9361 "This option will be set by the IPA installer (ipa-server-install) "
 9362 "automatically and denotes if SSSD is running on an IPA server or not."
 9363 msgstr ""
 9364 
 9365 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9366 #: sssd-ipa.5.xml:561
 9367 msgid ""
 9368 "On an IPA server SSSD will lookup users and groups from trusted domains "
 9369 "directly while on a client it will ask an IPA server."
 9370 msgstr ""
 9371 
 9372 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9373 #: sssd-ipa.5.xml:566
 9374 msgid ""
 9375 "NOTE: There are currently some assumptions that must be met when SSSD is "
 9376 "running on an IPA server."
 9377 msgstr ""
 9378 
 9379 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9380 #: sssd-ipa.5.xml:571
 9381 msgid ""
 9382 "The <quote>ipa_server</quote> option must be configured to point to the IPA "
 9383 "server itself. This is already the default set by the IPA installer, so no "
 9384 "manual change is required."
 9385 msgstr ""
 9386 
 9387 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9388 #: sssd-ipa.5.xml:580
 9389 msgid ""
 9390 "The <quote>full_name_format</quote> option must not be tweaked to only print "
 9391 "short names for users from trusted domains."
 9392 msgstr ""
 9393 
 9394 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9395 #: sssd-ipa.5.xml:595
 9396 msgid "ipa_automount_location (string)"
 9397 msgstr ""
 9398 
 9399 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9400 #: sssd-ipa.5.xml:598
 9401 msgid "The automounter location this IPA client will be using"
 9402 msgstr ""
 9403 
 9404 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9405 #: sssd-ipa.5.xml:601
 9406 msgid "Default: The location named \"default\""
 9407 msgstr ""
 9408 
 9409 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 9410 #: sssd-ipa.5.xml:609
 9411 msgid "VIEWS AND OVERRIDES"
 9412 msgstr ""
 9413 
 9414 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 9415 #: sssd-ipa.5.xml:618
 9416 msgid "ipa_view_class (string)"
 9417 msgstr ""
 9418 
 9419 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9420 #: sssd-ipa.5.xml:621
 9421 msgid "Objectclass of the view container."
 9422 msgstr ""
 9423 
 9424 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9425 #: sssd-ipa.5.xml:624
 9426 msgid "Default: nsContainer"
 9427 msgstr ""
 9428 
 9429 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 9430 #: sssd-ipa.5.xml:630
 9431 msgid "ipa_view_name (string)"
 9432 msgstr ""
 9433 
 9434 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9435 #: sssd-ipa.5.xml:633
 9436 msgid "Name of the attribute holding the name of the view."
 9437 msgstr ""
 9438 
 9439 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9440 #: sssd-ipa.5.xml:637 sssd-ldap-attributes.5.xml:496
 9441 #: sssd-ldap-attributes.5.xml:813 sssd-ldap-attributes.5.xml:894
 9442 #: sssd-ldap-attributes.5.xml:991 sssd-ldap-attributes.5.xml:1049
 9443 #: sssd-ldap-attributes.5.xml:1207 sssd-ldap-attributes.5.xml:1252
 9444 msgid "Default: cn"
 9445 msgstr ""
 9446 
 9447 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 9448 #: sssd-ipa.5.xml:643
 9449 msgid "ipa_override_object_class (string)"
 9450 msgstr ""
 9451 
 9452 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9453 #: sssd-ipa.5.xml:646
 9454 msgid "Objectclass of the override objects."
 9455 msgstr ""
 9456 
 9457 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9458 #: sssd-ipa.5.xml:649
 9459 msgid "Default: ipaOverrideAnchor"
 9460 msgstr ""
 9461 
 9462 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 9463 #: sssd-ipa.5.xml:655
 9464 msgid "ipa_anchor_uuid (string)"
 9465 msgstr ""
 9466 
 9467 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9468 #: sssd-ipa.5.xml:658
 9469 msgid ""
 9470 "Name of the attribute containing the reference to the original object in a "
 9471 "remote domain."
 9472 msgstr ""
 9473 
 9474 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9475 #: sssd-ipa.5.xml:662
 9476 msgid "Default: ipaAnchorUUID"
 9477 msgstr ""
 9478 
 9479 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 9480 #: sssd-ipa.5.xml:668
 9481 msgid "ipa_user_override_object_class (string)"
 9482 msgstr ""
 9483 
 9484 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9485 #: sssd-ipa.5.xml:671
 9486 msgid ""
 9487 "Name of the objectclass for user overrides. It is used to determine if the "
 9488 "found override object is related to a user or a group."
 9489 msgstr ""
 9490 
 9491 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9492 #: sssd-ipa.5.xml:676
 9493 msgid "User overrides can contain attributes given by"
 9494 msgstr ""
 9495 
 9496 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9497 #: sssd-ipa.5.xml:679
 9498 msgid "ldap_user_name"
 9499 msgstr ""
 9500 
 9501 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9502 #: sssd-ipa.5.xml:682
 9503 msgid "ldap_user_uid_number"
 9504 msgstr ""
 9505 
 9506 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9507 #: sssd-ipa.5.xml:685
 9508 msgid "ldap_user_gid_number"
 9509 msgstr ""
 9510 
 9511 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9512 #: sssd-ipa.5.xml:688
 9513 msgid "ldap_user_gecos"
 9514 msgstr ""
 9515 
 9516 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9517 #: sssd-ipa.5.xml:691
 9518 msgid "ldap_user_home_directory"
 9519 msgstr ""
 9520 
 9521 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9522 #: sssd-ipa.5.xml:694
 9523 msgid "ldap_user_shell"
 9524 msgstr ""
 9525 
 9526 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9527 #: sssd-ipa.5.xml:697
 9528 msgid "ldap_user_ssh_public_key"
 9529 msgstr ""
 9530 
 9531 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9532 #: sssd-ipa.5.xml:702
 9533 msgid "Default: ipaUserOverride"
 9534 msgstr ""
 9535 
 9536 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 9537 #: sssd-ipa.5.xml:708
 9538 msgid "ipa_group_override_object_class (string)"
 9539 msgstr ""
 9540 
 9541 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9542 #: sssd-ipa.5.xml:711
 9543 msgid ""
 9544 "Name of the objectclass for group overrides. It is used to determine if the "
 9545 "found override object is related to a user or a group."
 9546 msgstr ""
 9547 
 9548 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9549 #: sssd-ipa.5.xml:716
 9550 msgid "Group overrides can contain attributes given by"
 9551 msgstr ""
 9552 
 9553 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9554 #: sssd-ipa.5.xml:719
 9555 msgid "ldap_group_name"
 9556 msgstr ""
 9557 
 9558 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 9559 #: sssd-ipa.5.xml:722
 9560 msgid "ldap_group_gid_number"
 9561 msgstr ""
 9562 
 9563 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 9564 #: sssd-ipa.5.xml:727
 9565 msgid "Default: ipaGroupOverride"
 9566 msgstr ""
 9567 
 9568 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 9569 #: sssd-ipa.5.xml:611
 9570 msgid ""
 9571 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 9572 "later version. Since all paths and objectclasses are fixed on the server "
 9573 "side there is basically no need to configure anything. For completeness the "
 9574 "related options are listed here with their default values.  <placeholder "
 9575 "type=\"variablelist\" id=\"0\"/>"
 9576 msgstr ""
 9577 
 9578 #. type: Content of: <reference><refentry><refsect1><title>
 9579 #: sssd-ipa.5.xml:739
 9580 msgid "SUBDOMAINS PROVIDER"
 9581 msgstr ""
 9582 
 9583 #. type: Content of: <reference><refentry><refsect1><para>
 9584 #: sssd-ipa.5.xml:741
 9585 msgid ""
 9586 "The IPA subdomains provider behaves slightly differently if it is configured "
 9587 "explicitly or implicitly."
 9588 msgstr ""
 9589 
 9590 #. type: Content of: <reference><refentry><refsect1><para>
 9591 #: sssd-ipa.5.xml:745
 9592 msgid ""
 9593 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 9594 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
 9595 "subdomain requests are sent to the IPA server if necessary."
 9596 msgstr ""
 9597 
 9598 #. type: Content of: <reference><refentry><refsect1><para>
 9599 #: sssd-ipa.5.xml:751
 9600 msgid ""
 9601 "If the option 'subdomains_provider' is not set in the domain section of "
 9602 "sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains "
 9603 "provider is configured implicitly. In this case, if a subdomain request "
 9604 "fails and indicates that the server does not support subdomains, i.e. is not "
 9605 "configured for trusts, the IPA subdomains provider is disabled. After an "
 9606 "hour or after the IPA provider goes online, the subdomains provider is "
 9607 "enabled again."
 9608 msgstr ""
 9609 
 9610 #. type: Content of: <reference><refentry><refsect1><title>
 9611 #: sssd-ipa.5.xml:762
 9612 msgid "TRUSTED DOMAINS CONFIGURATION"
 9613 msgstr ""
 9614 
 9615 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 9616 #: sssd-ipa.5.xml:770
 9617 #, no-wrap
 9618 msgid ""
 9619 "[domain/ipa.domain.com/ad.domain.com]\n"
 9620 "ad_server = dc.ad.domain.com\n"
 9621 msgstr ""
 9622 
 9623 #. type: Content of: <reference><refentry><refsect1><para>
 9624 #: sssd-ipa.5.xml:764
 9625 msgid ""
 9626 "Some configuration options can also be set for a trusted domain.  A trusted "
 9627 "domain configuration can be set using the trusted domain subsection as shown "
 9628 "in the example below. Alternatively, the <quote>subdomain_inherit</quote> "
 9629 "option can be used in the parent domain.  <placeholder "
 9630 "type=\"programlisting\" id=\"0\"/>"
 9631 msgstr ""
 9632 
 9633 #. type: Content of: <reference><refentry><refsect1><para>
 9634 #: sssd-ipa.5.xml:775
 9635 msgid ""
 9636 "For more details, see the <citerefentry> "
 9637 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
 9638 "</citerefentry> manual page."
 9639 msgstr ""
 9640 
 9641 #. type: Content of: <reference><refentry><refsect1><para>
 9642 #: sssd-ipa.5.xml:782
 9643 msgid ""
 9644 "Different configuration options are tunable for a trusted domain depending "
 9645 "on whether you are configuring SSSD on an IPA server or an IPA client."
 9646 msgstr ""
 9647 
 9648 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 9649 #: sssd-ipa.5.xml:787
 9650 msgid "OPTIONS TUNABLE ON IPA MASTERS"
 9651 msgstr ""
 9652 
 9653 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 9654 #: sssd-ipa.5.xml:789
 9655 msgid "The following options can be set in a subdomain section on an IPA master:"
 9656 msgstr ""
 9657 
 9658 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 9659 #: sssd-ipa.5.xml:793 sssd-ipa.5.xml:823
 9660 msgid "ad_server"
 9661 msgstr ""
 9662 
 9663 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 9664 #: sssd-ipa.5.xml:796
 9665 msgid "ad_backup_server"
 9666 msgstr ""
 9667 
 9668 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 9669 #: sssd-ipa.5.xml:799 sssd-ipa.5.xml:826
 9670 msgid "ad_site"
 9671 msgstr ""
 9672 
 9673 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 9674 #: sssd-ipa.5.xml:802
 9675 msgid "ldap_search_base"
 9676 msgstr ""
 9677 
 9678 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 9679 #: sssd-ipa.5.xml:805
 9680 msgid "ldap_user_search_base"
 9681 msgstr ""
 9682 
 9683 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 9684 #: sssd-ipa.5.xml:808
 9685 msgid "ldap_group_search_base"
 9686 msgstr ""
 9687 
 9688 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 9689 #: sssd-ipa.5.xml:817
 9690 msgid "OPTIONS TUNABLE ON IPA CLIENTS"
 9691 msgstr ""
 9692 
 9693 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 9694 #: sssd-ipa.5.xml:819
 9695 msgid "The following options can be set in a subdomain section on an IPA client:"
 9696 msgstr ""
 9697 
 9698 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 9699 #: sssd-ipa.5.xml:831
 9700 msgid ""
 9701 "Note that if both options are set, only <quote>ad_server</quote> is "
 9702 "evaluated."
 9703 msgstr ""
 9704 
 9705 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 9706 #: sssd-ipa.5.xml:835
 9707 msgid ""
 9708 "Since any request for a user or a group identity from a trusted domain "
 9709 "triggered from an IPA client is resolved by the IPA server, the "
 9710 "<quote>ad_server</quote> and <quote>ad_site</quote> options only affect "
 9711 "which AD DC will the authentication be performed against. In particular, the "
 9712 "addresses resolved from these lists will be written to "
 9713 "<quote>kdcinfo</quote> files read by the Kerberos locator plugin. Please "
 9714 "refer to the <citerefentry> "
 9715 "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
 9716 "<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the "
 9717 "Kerberos locator plugin."
 9718 msgstr ""
 9719 
 9720 #. type: Content of: <reference><refentry><refsect1><para>
 9721 #: sssd-ipa.5.xml:859
 9722 msgid ""
 9723 "The following example assumes that SSSD is correctly configured and "
 9724 "example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
 9725 "section. This examples shows only the ipa provider-specific options."
 9726 msgstr ""
 9727 
 9728 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 9729 #: sssd-ipa.5.xml:866
 9730 #, no-wrap
 9731 msgid ""
 9732 "[domain/example.com]\n"
 9733 "id_provider = ipa\n"
 9734 "ipa_server = ipaserver.example.com\n"
 9735 "ipa_hostname = myhost.example.com\n"
 9736 msgstr ""
 9737 
 9738 #. type: Content of: <reference><refentry><refnamediv><refname>
 9739 #: sssd-ad.5.xml:10 sssd-ad.5.xml:16
 9740 msgid "sssd-ad"
 9741 msgstr ""
 9742 
 9743 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 9744 #: sssd-ad.5.xml:17
 9745 msgid "SSSD Active Directory provider"
 9746 msgstr ""
 9747 
 9748 #. type: Content of: <reference><refentry><refsect1><para>
 9749 #: sssd-ad.5.xml:23
 9750 msgid ""
 9751 "This manual page describes the configuration of the AD provider for "
 9752 "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
 9753 "</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
 9754 "FORMAT</quote> section of the <citerefentry> "
 9755 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
 9756 "</citerefentry> manual page."
 9757 msgstr ""
 9758 
 9759 #. type: Content of: <reference><refentry><refsect1><para>
 9760 #: sssd-ad.5.xml:36
 9761 msgid ""
 9762 "The AD provider is a back end used to connect to an Active Directory "
 9763 "server. This provider requires that the machine be joined to the AD domain "
 9764 "and a keytab is available. Back end communication occurs over a "
 9765 "GSSAPI-encrypted channel, SSL/TLS options should not be used with the AD "
 9766 "provider and will be superseded by Kerberos usage."
 9767 msgstr ""
 9768 
 9769 #. type: Content of: <reference><refentry><refsect1><para>
 9770 #: sssd-ad.5.xml:44
 9771 msgid ""
 9772 "The AD provider supports connecting to Active Directory 2008 R2 or "
 9773 "later. Earlier versions may work, but are unsupported."
 9774 msgstr ""
 9775 
 9776 #. type: Content of: <reference><refentry><refsect1><para>
 9777 #: sssd-ad.5.xml:48
 9778 msgid ""
 9779 "The AD provider can be used to get user information and authenticate users "
 9780 "from trusted domains. Currently only trusted domains in the same forest are "
 9781 "recognized. In addition servers from trusted domains are always "
 9782 "auto-discovered."
 9783 msgstr ""
 9784 
 9785 #. type: Content of: <reference><refentry><refsect1><para>
 9786 #: sssd-ad.5.xml:54
 9787 msgid ""
 9788 "The AD provider enables SSSD to use the <citerefentry> "
 9789 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
 9790 "</citerefentry> identity provider and the <citerefentry> "
 9791 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
 9792 "</citerefentry> authentication provider with optimizations for Active "
 9793 "Directory environments. The AD provider accepts the same options used by the "
 9794 "sssd-ldap and sssd-krb5 providers with some exceptions. However, it is "
 9795 "neither necessary nor recommended to set these options."
 9796 msgstr ""
 9797 
 9798 #. type: Content of: <reference><refentry><refsect1><para>
 9799 #: sssd-ad.5.xml:69
 9800 msgid ""
 9801 "The AD provider primarily copies the traditional ldap and krb5 provider "
 9802 "default options with some exceptions, the differences are listed in the "
 9803 "<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 9804 msgstr ""
 9805 
 9806 #. type: Content of: <reference><refentry><refsect1><para>
 9807 #: sssd-ad.5.xml:74
 9808 msgid ""
 9809 "The AD provider can also be used as an access, chpass, sudo and autofs "
 9810 "provider. No configuration of the access provider is required on the client "
 9811 "side."
 9812 msgstr ""
 9813 
 9814 #. type: Content of: <reference><refentry><refsect1><para>
 9815 #: sssd-ad.5.xml:79
 9816 msgid ""
 9817 "If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is "
 9818 "configured in sssd.conf then the id_provider must also be set to "
 9819 "<quote>ad</quote>."
 9820 msgstr ""
 9821 
 9822 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 9823 #: sssd-ad.5.xml:91
 9824 #, no-wrap
 9825 msgid ""
 9826 "ldap_id_mapping = False\n"
 9827 "            "
 9828 msgstr ""
 9829 
 9830 #. type: Content of: <reference><refentry><refsect1><para>
 9831 #: sssd-ad.5.xml:85
 9832 msgid ""
 9833 "By default, the AD provider will map UID and GID values from the objectSID "
 9834 "parameter in Active Directory. For details on this, see the <quote>ID "
 9835 "MAPPING</quote> section below. If you want to disable ID mapping and instead "
 9836 "rely on POSIX attributes defined in Active Directory, you should set "
 9837 "<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should "
 9838 "be used, it is recommended for performance reasons that the attributes are "
 9839 "also replicated to the Global Catalog. If POSIX attributes are replicated, "
 9840 "SSSD will attempt to locate the domain of a requested numerical ID with the "
 9841 "help of the Global Catalog and only search that domain. In contrast, if "
 9842 "POSIX attributes are not replicated to the Global Catalog, SSSD must search "
 9843 "all the domains in the forest sequentially. Please note that the "
 9844 "<quote>cache_first</quote> option might be also helpful in speeding up "
 9845 "domainless searches.  Note that if only a subset of POSIX attributes is "
 9846 "present in the Global Catalog, the non-replicated attributes are currently "
 9847 "not read from the LDAP port."
 9848 msgstr ""
 9849 
 9850 #. type: Content of: <reference><refentry><refsect1><para>
 9851 #: sssd-ad.5.xml:108
 9852 msgid ""
 9853 "Users, groups and other entities served by SSSD are always treated as "
 9854 "case-insensitive in the AD provider for compatibility with Active "
 9855 "Directory's LDAP implementation."
 9856 msgstr ""
 9857 
 9858 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9859 #: sssd-ad.5.xml:123
 9860 msgid "ad_domain (string)"
 9861 msgstr ""
 9862 
 9863 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9864 #: sssd-ad.5.xml:126
 9865 msgid ""
 9866 "Specifies the name of the Active Directory domain.  This is optional. If not "
 9867 "provided, the configuration domain name is used."
 9868 msgstr ""
 9869 
 9870 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9871 #: sssd-ad.5.xml:131
 9872 msgid ""
 9873 "For proper operation, this option should be specified as the lower-case "
 9874 "version of the long version of the Active Directory domain."
 9875 msgstr ""
 9876 
 9877 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9878 #: sssd-ad.5.xml:136
 9879 msgid ""
 9880 "The short domain name (also known as the NetBIOS or the flat name) is "
 9881 "autodetected by the SSSD."
 9882 msgstr ""
 9883 
 9884 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9885 #: sssd-ad.5.xml:143
 9886 msgid "ad_enabled_domains (string)"
 9887 msgstr ""
 9888 
 9889 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9890 #: sssd-ad.5.xml:146
 9891 msgid ""
 9892 "A comma-separated list of enabled Active Directory domains.  If provided, "
 9893 "SSSD will ignore any domains not listed in this option. If left unset, all "
 9894 "domains from the AD forest will be available."
 9895 msgstr ""
 9896 
 9897 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
 9898 #: sssd-ad.5.xml:156
 9899 #, no-wrap
 9900 msgid ""
 9901 "ad_enabled_domains = sales.example.com, eng.example.com\n"
 9902 "                            "
 9903 msgstr ""
 9904 
 9905 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9906 #: sssd-ad.5.xml:152
 9907 msgid ""
 9908 "For proper operation, this option must be specified in all lower-case and as "
 9909 "the fully qualified domain name of the Active Directory domain. For example: "
 9910 "<placeholder type=\"programlisting\" id=\"0\"/>"
 9911 msgstr ""
 9912 
 9913 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9914 #: sssd-ad.5.xml:160
 9915 msgid ""
 9916 "The short domain name (also known as the NetBIOS or the flat name) will be "
 9917 "autodetected by SSSD."
 9918 msgstr ""
 9919 
 9920 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9921 #: sssd-ad.5.xml:170
 9922 msgid "ad_server, ad_backup_server (string)"
 9923 msgstr ""
 9924 
 9925 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9926 #: sssd-ad.5.xml:173
 9927 msgid ""
 9928 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 9929 "connect in order of preference. For more information on failover and server "
 9930 "redundancy, see the <quote>FAILOVER</quote> section."
 9931 msgstr ""
 9932 
 9933 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9934 #: sssd-ad.5.xml:180
 9935 msgid ""
 9936 "This is optional if autodiscovery is enabled.  For more information on "
 9937 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 9938 msgstr ""
 9939 
 9940 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9941 #: sssd-ad.5.xml:185
 9942 msgid ""
 9943 "Note: Trusted domains will always auto-discover servers even if the primary "
 9944 "server is explicitly defined in the ad_server option."
 9945 msgstr ""
 9946 
 9947 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9948 #: sssd-ad.5.xml:193
 9949 msgid "ad_hostname (string)"
 9950 msgstr ""
 9951 
 9952 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9953 #: sssd-ad.5.xml:196
 9954 msgid ""
 9955 "Optional. On machines where the hostname(5) does not reflect the fully "
 9956 "qualified name, sssd will try to expand the short name. If it is not "
 9957 "possible or the short name should be really used instead, set this parameter "
 9958 "explicitly."
 9959 msgstr ""
 9960 
 9961 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9962 #: sssd-ad.5.xml:203
 9963 msgid ""
 9964 "This field is used to determine the host principal in use in the keytab and "
 9965 "to perform dynamic DNS updates. It must match the hostname for which the "
 9966 "keytab was issued."
 9967 msgstr ""
 9968 
 9969 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9970 #: sssd-ad.5.xml:212
 9971 msgid "ad_enable_dns_sites (boolean)"
 9972 msgstr ""
 9973 
 9974 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9975 #: sssd-ad.5.xml:219
 9976 msgid ""
 9977 "If true and service discovery (see Service Discovery paragraph at the bottom "
 9978 "of the man page)  is enabled, the SSSD will first attempt to discover the "
 9979 "Active Directory server to connect to using the Active Directory Site "
 9980 "Discovery and fall back to the DNS SRV records if no AD site is found. The "
 9981 "DNS SRV configuration, including the discovery domain, is used during site "
 9982 "discovery as well."
 9983 msgstr ""
 9984 
 9985 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 9986 #: sssd-ad.5.xml:235
 9987 msgid "ad_access_filter (string)"
 9988 msgstr ""
 9989 
 9990 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 9991 #: sssd-ad.5.xml:238
 9992 msgid ""
 9993 "This option specifies LDAP access control filter that the user must match in "
 9994 "order to be allowed access. Please note that the "
 9995 "<quote>access_provider</quote> option must be explicitly set to "
 9996 "<quote>ad</quote> in order for this option to have an effect."
 9997 msgstr ""
 9998 
 9999 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10000 #: sssd-ad.5.xml:246
10001 msgid ""
10002 "The option also supports specifying different filters per domain or "
10003 "forest. This extended filter would consist of: "
10004 "<quote>KEYWORD:NAME:FILTER</quote>.  The keyword can be either "
10005 "<quote>DOM</quote>, <quote>FOREST</quote> or missing."
10006 msgstr ""
10007 
10008 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10009 #: sssd-ad.5.xml:254
10010 msgid ""
10011 "If the keyword equals to <quote>DOM</quote> or is missing, then "
10012 "<quote>NAME</quote> specifies the domain or subdomain the filter applies "
10013 "to.  If the keyword equals to <quote>FOREST</quote>, then the filter equals "
10014 "to all domains from the forest specified by <quote>NAME</quote>."
10015 msgstr ""
10016 
10017 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10018 #: sssd-ad.5.xml:262
10019 msgid ""
10020 "Multiple filters can be separated with the <quote>?</quote> character, "
10021 "similarly to how search bases work."
10022 msgstr ""
10023 
10024 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10025 #: sssd-ad.5.xml:267
10026 msgid ""
10027 "Nested group membership must be searched for using a special OID "
10028 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full "
10029 "DOM:domain.example.org: syntax to ensure the parser does not attempt to "
10030 "interpret the colon characters associated with the OID. If you do not use "
10031 "this OID then nested group membership will not be resolved. See usage "
10032 "example below and refer here for further information about the OID: <ulink "
10033 "url=\"https://msdn.microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] "
10034 "section LDAP extensions</ulink>"
10035 msgstr ""
10036 
10037 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10038 #: sssd-ad.5.xml:280
10039 msgid ""
10040 "The most specific match is always used. For example, if the option specified "
10041 "filter for a domain the user is a member of and a global filter, the "
10042 "per-domain filter would be applied.  If there are more matches with the same "
10043 "specification, the first one is used."
10044 msgstr ""
10045 
10046 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
10047 #: sssd-ad.5.xml:291
10048 #, no-wrap
10049 msgid ""
10050 "# apply filter on domain called dom1 only:\n"
10051 "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
10052 "\n"
10053 "# apply filter on domain called dom2 only:\n"
10054 "DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n"
10055 "\n"
10056 "# apply filter on forest called EXAMPLE.COM only:\n"
10057 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
10058 "\n"
10059 "# apply filter for a member of a nested group in dom1:\n"
10060 "DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
10061 "                        "
10062 msgstr ""
10063 
10064 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10065 #: sssd-ad.5.xml:310
10066 msgid "ad_site (string)"
10067 msgstr ""
10068 
10069 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10070 #: sssd-ad.5.xml:313
10071 msgid ""
10072 "Specify AD site to which client should try to connect.  If this option is "
10073 "not provided, the AD site will be auto-discovered."
10074 msgstr ""
10075 
10076 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10077 #: sssd-ad.5.xml:324
10078 msgid "ad_enable_gc (boolean)"
10079 msgstr ""
10080 
10081 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10082 #: sssd-ad.5.xml:327
10083 msgid ""
10084 "By default, the SSSD connects to the Global Catalog first to retrieve users "
10085 "from trusted domains and uses the LDAP port to retrieve group memberships or "
10086 "as a fallback. Disabling this option makes the SSSD only connect to the LDAP "
10087 "port of the current AD server."
10088 msgstr ""
10089 
10090 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10091 #: sssd-ad.5.xml:335
10092 msgid ""
10093 "Please note that disabling Global Catalog support does not disable "
10094 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
10095 "port of trusted domains instead. However, Global Catalog must be used in "
10096 "order to resolve cross-domain group memberships."
10097 msgstr ""
10098 
10099 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10100 #: sssd-ad.5.xml:349
10101 msgid "ad_gpo_access_control (string)"
10102 msgstr ""
10103 
10104 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10105 #: sssd-ad.5.xml:352
10106 msgid ""
10107 "This option specifies the operation mode for GPO-based access control "
10108 "functionality: whether it operates in disabled mode, enforcing mode, or "
10109 "permissive mode. Please note that the <quote>access_provider</quote> option "
10110 "must be explicitly set to <quote>ad</quote> in order for this option to have "
10111 "an effect."
10112 msgstr ""
10113 
10114 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10115 #: sssd-ad.5.xml:361
10116 msgid ""
10117 "GPO-based access control functionality uses GPO policy settings to determine "
10118 "whether or not a particular user is allowed to logon to the host.  For more "
10119 "information on the supported policy settings please refer to the "
10120 "<quote>ad_gpo_map</quote> options."
10121 msgstr ""
10122 
10123 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10124 #: sssd-ad.5.xml:369
10125 msgid ""
10126 "Please note that current version of SSSD does not support Active Directory's "
10127 "built-in groups.  Built-in groups (such as Administrators with SID "
10128 "S-1-5-32-544) in GPO access control rules will be ignored by SSSD.  See "
10129 "upstream issue tracker https://github.com/SSSD/sssd/issues/5063 ."
10130 msgstr ""
10131 
10132 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10133 #: sssd-ad.5.xml:378
10134 msgid ""
10135 "Before performing access control SSSD applies group policy security "
10136 "filtering on the GPOs. For every single user login, the applicability of the "
10137 "GPOs that are linked to the host is checked. In order for a GPO to apply to "
10138 "a user, the user or at least one of the groups to which it belongs must have "
10139 "following permissions on the GPO:"
10140 msgstr ""
10141 
10142 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10143 #: sssd-ad.5.xml:388
10144 msgid ""
10145 "Read: The user or one of its groups must have read access to the properties "
10146 "of the GPO (RIGHT_DS_READ_PROPERTY)"
10147 msgstr ""
10148 
10149 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10150 #: sssd-ad.5.xml:395
10151 msgid ""
10152 "Apply Group Policy: The user or at least one of its groups must be allowed "
10153 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
10154 msgstr ""
10155 
10156 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10157 #: sssd-ad.5.xml:403
10158 msgid ""
10159 "By default, the Authenticated Users group is present on a GPO and this group "
10160 "has both Read and Apply Group Policy access rights. Since authentication of "
10161 "a user must have been completed successfully before GPO security filtering "
10162 "and access control are started, the Authenticated Users group permissions on "
10163 "the GPO always apply also to the user."
10164 msgstr ""
10165 
10166 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10167 #: sssd-ad.5.xml:412
10168 msgid ""
10169 "NOTE: If the operation mode is set to enforcing, it is possible that users "
10170 "that were previously allowed logon access will now be denied logon access "
10171 "(as dictated by the GPO policy settings). In order to facilitate a smooth "
10172 "transition for administrators, a permissive mode is available that will not "
10173 "enforce the access control rules, but will evaluate them and will output a "
10174 "syslog message if access would have been denied. By examining the logs, "
10175 "administrators can then make the necessary changes before setting the mode "
10176 "to enforcing. For logging GPO-based access control debug level 'trace "
10177 "functions' is required (see <citerefentry> "
10178 "<refentrytitle>sssctl</refentrytitle> <manvolnum>8</manvolnum> "
10179 "</citerefentry> manual page)."
10180 msgstr ""
10181 
10182 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10183 #: sssd-ad.5.xml:431
10184 msgid "There are three supported values for this option:"
10185 msgstr ""
10186 
10187 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10188 #: sssd-ad.5.xml:435
10189 msgid "disabled: GPO-based access control rules are neither evaluated nor enforced."
10190 msgstr ""
10191 
10192 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10193 #: sssd-ad.5.xml:441
10194 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
10195 msgstr ""
10196 
10197 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10198 #: sssd-ad.5.xml:447
10199 msgid ""
10200 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
10201 "Instead, a syslog message will be emitted indicating that the user would "
10202 "have been denied access if this option's value were set to enforcing."
10203 msgstr ""
10204 
10205 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10206 #: sssd-ad.5.xml:458
10207 msgid "Default: permissive"
10208 msgstr ""
10209 
10210 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10211 #: sssd-ad.5.xml:461
10212 msgid "Default: enforcing"
10213 msgstr ""
10214 
10215 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10216 #: sssd-ad.5.xml:467
10217 msgid "ad_gpo_implicit_deny (boolean)"
10218 msgstr ""
10219 
10220 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10221 #: sssd-ad.5.xml:470
10222 msgid ""
10223 "Normally when no applicable GPOs are found the users are allowed "
10224 "access. When this option is set to True users will be allowed access only "
10225 "when explicitly allowed by a GPO rule. Otherwise users will be denied "
10226 "access. This can be used to harden security but be careful when using this "
10227 "option because it can deny access even to users in the built-in "
10228 "Administrators group if no GPO rules apply to them."
10229 msgstr ""
10230 
10231 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10232 #: sssd-ad.5.xml:486
10233 msgid ""
10234 "The following 2 tables should illustrate when a user is allowed or rejected "
10235 "based on the allow and deny login rights defined on the server-side and the "
10236 "setting of ad_gpo_implicit_deny."
10237 msgstr ""
10238 
10239 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
10240 #: sssd-ad.5.xml:498
10241 msgid "ad_gpo_implicit_deny = False (default)"
10242 msgstr ""
10243 
10244 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
10245 #: sssd-ad.5.xml:499 sssd-ad.5.xml:525
10246 msgid "allow-rules"
10247 msgstr ""
10248 
10249 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
10250 #: sssd-ad.5.xml:499 sssd-ad.5.xml:525
10251 msgid "deny-rules"
10252 msgstr ""
10253 
10254 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
10255 #: sssd-ad.5.xml:500 sssd-ad.5.xml:526
10256 msgid "results"
10257 msgstr ""
10258 
10259 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
10260 #: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
10261 #: sssd-ad.5.xml:532 sssd-ad.5.xml:535
10262 msgid "missing"
10263 msgstr ""
10264 
10265 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
10266 #: sssd-ad.5.xml:504
10267 msgid "all users are allowed"
10268 msgstr ""
10269 
10270 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
10271 #: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
10272 #: sssd-ad.5.xml:535 sssd-ad.5.xml:538
10273 msgid "present"
10274 msgstr ""
10275 
10276 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
10277 #: sssd-ad.5.xml:507
10278 msgid "only users not in deny-rules are allowed"
10279 msgstr ""
10280 
10281 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
10282 #: sssd-ad.5.xml:510 sssd-ad.5.xml:536
10283 msgid "only users in allow-rules are allowed"
10284 msgstr ""
10285 
10286 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
10287 #: sssd-ad.5.xml:513 sssd-ad.5.xml:539
10288 msgid "only users in allow-rules and not in deny-rules are allowed"
10289 msgstr ""
10290 
10291 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
10292 #: sssd-ad.5.xml:524
10293 msgid "ad_gpo_implicit_deny = True"
10294 msgstr ""
10295 
10296 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
10297 #: sssd-ad.5.xml:530 sssd-ad.5.xml:533
10298 msgid "no users are allowed"
10299 msgstr ""
10300 
10301 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10302 #: sssd-ad.5.xml:546
10303 msgid "ad_gpo_ignore_unreadable (boolean)"
10304 msgstr ""
10305 
10306 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10307 #: sssd-ad.5.xml:549
10308 msgid ""
10309 "Normally when some group policy containers (AD object) of applicable group "
10310 "policy objects are not readable by SSSD then users are denied access.  This "
10311 "option allows to ignore group policy containers and with them associated "
10312 "policies if their attributes in group policy containers are not readable for "
10313 "SSSD."
10314 msgstr ""
10315 
10316 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10317 #: sssd-ad.5.xml:566
10318 msgid "ad_gpo_cache_timeout (integer)"
10319 msgstr ""
10320 
10321 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10322 #: sssd-ad.5.xml:569
10323 msgid ""
10324 "The amount of time between lookups of GPO policy files against the AD "
10325 "server. This will reduce the latency and load on the AD server if there are "
10326 "many access-control requests made in a short period."
10327 msgstr ""
10328 
10329 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10330 #: sssd-ad.5.xml:582
10331 msgid "ad_gpo_map_interactive (string)"
10332 msgstr ""
10333 
10334 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10335 #: sssd-ad.5.xml:585
10336 msgid ""
10337 "A comma-separated list of PAM service names for which GPO-based access "
10338 "control is evaluated based on the InteractiveLogonRight and "
10339 "DenyInteractiveLogonRight policy settings.  Only those GPOs are evaluated "
10340 "for which the user has Read and Apply Group Policy permission (see option "
10341 "<quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains the "
10342 "deny interactive logon setting for the user or one of its groups, the user "
10343 "is denied local access.  If none of the evaluated GPOs has an interactive "
10344 "logon right defined, the user is granted local access. If at least one "
10345 "evaluated GPO contains interactive logon right settings, the user is granted "
10346 "local access only, if it or at least one of its groups is part of the policy "
10347 "settings."
10348 msgstr ""
10349 
10350 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10351 #: sssd-ad.5.xml:603
10352 msgid ""
10353 "Note: Using the Group Policy Management Editor this value is called \"Allow "
10354 "log on locally\" and \"Deny log on locally\"."
10355 msgstr ""
10356 
10357 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
10358 #: sssd-ad.5.xml:617
10359 #, no-wrap
10360 msgid ""
10361 "ad_gpo_map_interactive = +my_pam_service, -login\n"
10362 "                            "
10363 msgstr ""
10364 
10365 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10366 #: sssd-ad.5.xml:608
10367 msgid ""
10368 "It is possible to add another PAM service name to the default set by using "
10369 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
10370 "the default set by using <quote>-service_name</quote>.  For example, in "
10371 "order to replace a default PAM service name for this logon right "
10372 "(e.g. <quote>login</quote>)  with a custom pam service name "
10373 "(e.g. <quote>my_pam_service</quote>), you would use the following "
10374 "configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
10375 msgstr ""
10376 
10377 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10378 #: sssd-ad.5.xml:640
10379 msgid "gdm-fingerprint"
10380 msgstr ""
10381 
10382 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10383 #: sssd-ad.5.xml:660
10384 msgid "lightdm"
10385 msgstr ""
10386 
10387 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10388 #: sssd-ad.5.xml:665
10389 msgid "lxdm"
10390 msgstr ""
10391 
10392 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10393 #: sssd-ad.5.xml:670
10394 msgid "sddm"
10395 msgstr ""
10396 
10397 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10398 #: sssd-ad.5.xml:675
10399 msgid "unity"
10400 msgstr ""
10401 
10402 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10403 #: sssd-ad.5.xml:680
10404 msgid "xdm"
10405 msgstr ""
10406 
10407 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10408 #: sssd-ad.5.xml:689
10409 msgid "ad_gpo_map_remote_interactive (string)"
10410 msgstr ""
10411 
10412 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10413 #: sssd-ad.5.xml:692
10414 msgid ""
10415 "A comma-separated list of PAM service names for which GPO-based access "
10416 "control is evaluated based on the RemoteInteractiveLogonRight and "
10417 "DenyRemoteInteractiveLogonRight policy settings.  Only those GPOs are "
10418 "evaluated for which the user has Read and Apply Group Policy permission (see "
10419 "option <quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains "
10420 "the deny remote logon setting for the user or one of its groups, the user is "
10421 "denied remote interactive access.  If none of the evaluated GPOs has a "
10422 "remote interactive logon right defined, the user is granted remote "
10423 "access. If at least one evaluated GPO contains remote interactive logon "
10424 "right settings, the user is granted remote access only, if it or at least "
10425 "one of its groups is part of the policy settings."
10426 msgstr ""
10427 
10428 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10429 #: sssd-ad.5.xml:711
10430 msgid ""
10431 "Note: Using the Group Policy Management Editor this value is called \"Allow "
10432 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
10433 "Desktop Services\"."
10434 msgstr ""
10435 
10436 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
10437 #: sssd-ad.5.xml:726
10438 #, no-wrap
10439 msgid ""
10440 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
10441 "                            "
10442 msgstr ""
10443 
10444 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10445 #: sssd-ad.5.xml:717
10446 msgid ""
10447 "It is possible to add another PAM service name to the default set by using "
10448 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
10449 "the default set by using <quote>-service_name</quote>.  For example, in "
10450 "order to replace a default PAM service name for this logon right "
10451 "(e.g. <quote>sshd</quote>)  with a custom pam service name "
10452 "(e.g. <quote>my_pam_service</quote>), you would use the following "
10453 "configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
10454 msgstr ""
10455 
10456 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10457 #: sssd-ad.5.xml:734
10458 msgid "sshd"
10459 msgstr ""
10460 
10461 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10462 #: sssd-ad.5.xml:739
10463 msgid "cockpit"
10464 msgstr ""
10465 
10466 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10467 #: sssd-ad.5.xml:748
10468 msgid "ad_gpo_map_network (string)"
10469 msgstr ""
10470 
10471 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10472 #: sssd-ad.5.xml:751
10473 msgid ""
10474 "A comma-separated list of PAM service names for which GPO-based access "
10475 "control is evaluated based on the NetworkLogonRight and "
10476 "DenyNetworkLogonRight policy settings.  Only those GPOs are evaluated for "
10477 "which the user has Read and Apply Group Policy permission (see option "
10478 "<quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains the "
10479 "deny network logon setting for the user or one of its groups, the user is "
10480 "denied network logon access.  If none of the evaluated GPOs has a network "
10481 "logon right defined, the user is granted logon access. If at least one "
10482 "evaluated GPO contains network logon right settings, the user is granted "
10483 "logon access only, if it or at least one of its groups is part of the policy "
10484 "settings."
10485 msgstr ""
10486 
10487 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10488 #: sssd-ad.5.xml:769
10489 msgid ""
10490 "Note: Using the Group Policy Management Editor this value is called \"Access "
10491 "this computer from the network\" and \"Deny access to this computer from the "
10492 "network\"."
10493 msgstr ""
10494 
10495 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
10496 #: sssd-ad.5.xml:784
10497 #, no-wrap
10498 msgid ""
10499 "ad_gpo_map_network = +my_pam_service, -ftp\n"
10500 "                            "
10501 msgstr ""
10502 
10503 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10504 #: sssd-ad.5.xml:775
10505 msgid ""
10506 "It is possible to add another PAM service name to the default set by using "
10507 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
10508 "the default set by using <quote>-service_name</quote>.  For example, in "
10509 "order to replace a default PAM service name for this logon right "
10510 "(e.g. <quote>ftp</quote>)  with a custom pam service name "
10511 "(e.g. <quote>my_pam_service</quote>), you would use the following "
10512 "configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
10513 msgstr ""
10514 
10515 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10516 #: sssd-ad.5.xml:792
10517 msgid "ftp"
10518 msgstr ""
10519 
10520 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
10521 #: sssd-ad.5.xml:797
10522 msgid "samba"
10523 msgstr ""
10524 
10525 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
10526 #: sssd-ad.5.xml:806
10527 msgid "ad_gpo_map_batch (string)"
10528 msgstr ""
10529 
10530 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10531 #: sssd-ad.5.xml:809
10532 msgid ""
10533 "A comma-separated list of PAM service names for which GPO-based access "
10534 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
10535 "policy settings.  Only those GPOs are evaluated for which the user has Read "
10536 "and Apply Group Policy permission (see option "
10537 "<quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains the "
10538 "deny batch logon setting for the user or one of its groups, the user is "
10539 "denied batch logon access.  If none of the evaluated GPOs has a batch logon "
10540 "right defined, the user is granted logon access. If at least one evaluated "
10541 "GPO contains batch logon right settings, the user is granted logon access "
10542 "only, if it or at least one of its groups is part of the policy settings."
10543 msgstr ""
10544 
10545 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10546 #: sssd-ad.5.xml:827
10547 msgid ""
10548 "Note: Using the Group Policy Management Editor this value is called \"Allow "
10549 "log on as a batch job\" and \"Deny log on as a batch job\"."
10550 msgstr ""
10551 
10552 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
10553 #: sssd-ad.5.xml:841
10554 #, no-wrap
10555 msgid ""
10556 "ad_gpo_map_batch = +my_pam_service, -crond\n"
10557 "                            "
10558 msgstr ""
10559 
10560 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
10561 #: sssd-ad.5.xml:832
10562 msgid ""
10563 "It is possible to add another PAM service name to the default set by using "
10564 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "