ehlo The first patch is sligtly modified version of Michal's patch. It depends on patch for config snippet. Because config validation is optional if it isn't supported in libini_config. And detection for new libini_config is in patch for config snippets
You might see "typos" in sssd.log e.g. (Thu Jun 23 10:48:39:370079 2016) [sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'ldapi_uri' is not allowed in section 'domain/example.com'. Check for typos. BTW don't forget to build with ding-libs-0.6 (libini_config 1.3.0) LS
>From 76d0ab2784d341e5204d63ddebcfec2012f01016 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com> Date: Wed, 22 Jun 2016 19:11:42 +0200 Subject: [PATCH 1/2] confdb: Check for config file errors on sssd startup Resolves: https://fedorahosted.org/sssd/ticket/2028 Signed-off-by: Lukas Slebodnik <lsleb...@redhat.com> --- src/confdb/confdb.c | 2 +- src/confdb/confdb.h | 2 +- src/confdb/confdb_setup.c | 9 ++++++++- src/util/sss_ini.c | 49 +++++++++++++++++++++++++++++++++++++++++++++-- src/util/sss_ini.h | 4 ++++ 5 files changed, 61 insertions(+), 5 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index d409344890c869aa3e7b2dbb49c0f51cd3a20adc..b99c6cf403ffc638b5292036e6111b6579e324fc 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1,7 +1,7 @@ /* SSSD - NSS Configuratoin DB + SSSD Configuration DB Copyright (C) Simo Sorce <sso...@redhat.com> 2008 diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 2cd75b9e8b7d81261774303ad48fcec4112e3ae4..eb5764c2e56f1ad0d22998eaf089ee57d7e83101 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -1,7 +1,7 @@ /* SSSD - NSS Configuratoin DB + SSSD Configuration DB Copyright (C) Simo Sorce <sso...@redhat.com> 2008 diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c index b17a34b1213b0ebeeea5719c78ea1db8d5fabfd6..e3d1fc54da4fc8a666b456b88c091309db2bf969 100644 --- a/src/confdb/confdb_setup.c +++ b/src/confdb/confdb_setup.c @@ -141,7 +141,6 @@ int confdb_init_db(const char *config_file, const char *config_dir, struct ldb_ldif *ldif; struct sss_ini_initdata *init_data; - tmp_ctx = talloc_new(cdb); if (tmp_ctx == NULL) { DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n"); @@ -217,6 +216,14 @@ int confdb_init_db(const char *config_file, const char *config_dir, goto done; } + /* FIXME: Do not hardcode the path */ + ret = sss_ini_call_validators(init_data, + "/var/lib/sss/cfg_rules.ini"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to call validators\n"); + /* This is not fatal, continue */ + } + /* Make sure that the config file version matches the confdb version */ ret = sss_ini_get_cfgobj(init_data, "sssd", "config_file_version"); if (ret != EOK) { diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c index 2d786df94fe09601bd4b1d3d1fa145739f30ef39..0b6691bece541417e196612f204be091e0c5fa2b 100644 --- a/src/util/sss_ini.c +++ b/src/util/sss_ini.c @@ -60,8 +60,6 @@ struct sss_ini_initdata { #define sss_ini_get_const_string_config_value ini_get_const_string_config_value #define sss_ini_get_config_obj ini_get_config_valueobj - - #else struct sss_ini_initdata { @@ -527,3 +525,50 @@ error: talloc_free(ldif); return ret; } + +int sss_ini_call_validators(struct sss_ini_initdata *data, + const char *rules_path) +{ +#ifdef HAVE_LIBINI_CONFIG_V1_3 + int ret; + struct ini_cfgobj *rules_cfgobj = NULL; + struct ini_errobj *errobj = NULL; + + ret = ini_errobj_create(&errobj); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to create error list\n"); + goto done; + } + + ret = ini_rules_read_from_file(rules_path, &rules_cfgobj); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to read sssd.conf schema %d [%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_rules_check(rules_cfgobj, data->sssd_config, NULL, errobj); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "ini_rules_check failed %d [%s]\n", ret, strerror(ret)); + goto done; + } + + /* Do not error out when validators find some issue */ + while (!ini_errobj_no_more_msgs(errobj)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "%s\n", ini_errobj_get_msg(errobj)); + ini_errobj_next(errobj); + } + +done: + if (rules_cfgobj) ini_config_destroy(rules_cfgobj); + ini_errobj_destroy(&errobj); + + return ret; +#else + DEBUG(SSSDBG_TRACE_FUNC, + "libini_config does not support configuration file validataion\n"); + return EOK; +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ +} diff --git a/src/util/sss_ini.h b/src/util/sss_ini.h index f5b36deb9cacfecbd68dd2a4d37a4398ce280c3c..7734bab3ce612fe97864ba17493ee200712884fc 100644 --- a/src/util/sss_ini.h +++ b/src/util/sss_ini.h @@ -79,4 +79,8 @@ int sss_confdb_create_ldif(TALLOC_CTX *mem_ctx, struct sss_ini_initdata *init_data, const char **config_ldif); +/* Validate sssd.conf if libini_config support it */ +int sss_ini_call_validators(struct sss_ini_initdata *data, + const char *rules_path); + #endif /* __SSS_INI_H__ */ -- 2.7.4
>From 0436bd95ceafed4ce1c9173fa001c5aee064b29e Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Thu, 23 Jun 2016 08:52:18 +0200 Subject: [PATCH 2/2] Prepare ini schema with rules for validation Resolves: https://fedorahosted.org/sssd/ticket/2028 --- Makefile.am | 5 +- contrib/sssd.spec.in | 1 + src/confdb/confdb_setup.c | 2 +- src/config/cfg_rules.ini | 615 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 621 insertions(+), 2 deletions(-) create mode 100644 src/config/cfg_rules.ini diff --git a/Makefile.am b/Makefile.am index 0d11fb8562bad966245af82a4c293d386ea6db9e..e93ba00c0559eb53c3bea7f0a74d6f9b372bf572 100644 --- a/Makefile.am +++ b/Makefile.am @@ -451,6 +451,7 @@ AM_CPPFLAGS = \ -DSSS_STATEDIR=\"$(sss_statedir)\" \ -DSYSCONFDIR=\"$(sysconfdir)\" \ -DSHLIBEXT=\"$(SHLIBEXT)\" \ + -DSSSDDATADIR=\"$(sssddatadir)\" \ -DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \ -DSSSD_CONF_DIR=\"$(sssdconfdir)\" \ -DSSSD_DEFAULT_CONF_DIR=\"$(sssddefaultconfdir)\" \ @@ -3757,7 +3758,9 @@ endif dist_sssddata_DATA = \ - src/config/etc/sssd.api.conf + src/config/etc/sssd.api.conf \ + src/config/cfg_rules.ini \ + $(NULL) dist_sssdapiplugin_DATA = \ src/config/etc/sssd.api.d/sssd-ipa.conf \ src/config/etc/sssd.api.d/sssd-ad.conf \ diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 37d5acea79ea16502ff0e0118c2543bccd410bf5..9ba92cfafd49af51536ad29936e80aadfb841821 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -795,6 +795,7 @@ done %{_sysconfdir}/pam.d/sssd-shadowutils %{_libdir}/%{name}/conf/sssd.conf +%{_datadir}/sssd/cfg_rules.ini %{_datadir}/sssd/sssd.api.conf %{_datadir}/sssd/sssd.api.d %{_mandir}/man1/sss_ssh_authorizedkeys.1* diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c index e3d1fc54da4fc8a666b456b88c091309db2bf969..c0d8296c3f355525ad7edf2c282cb1703bedc2c0 100644 --- a/src/confdb/confdb_setup.c +++ b/src/confdb/confdb_setup.c @@ -218,7 +218,7 @@ int confdb_init_db(const char *config_file, const char *config_dir, /* FIXME: Do not hardcode the path */ ret = sss_ini_call_validators(init_data, - "/var/lib/sss/cfg_rules.ini"); + SSSDDATADIR"/cfg_rules.ini"); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to call validators\n"); /* This is not fatal, continue */ diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini new file mode 100644 index 0000000000000000000000000000000000000000..d738ddf5ac5c220dbf2c3c99782368c684072e3f --- /dev/null +++ b/src/config/cfg_rules.ini @@ -0,0 +1,615 @@ +[rule/allowed_sections] +validator = ini_allowed_sections +section = sssd +section = nss +section = pam +section = sudo +section = autofs +section = ssh +section = pac +section = ifp +section_re = ^domain/.*$ + +[rule/allowed_sssd_options] +validator = ini_allowed_options +section_re = ^sssd$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# Monitor service +option = services +option = domains +option = timeout +option = sbus_timeout +option = re_expression +option = full_name_format +option = krb5_rcache_dir +option = user +option = default_domain_suffix +option = certificate_verification + +[rule/allowed_nss_options] +validator = ini_allowed_options +section_re = ^nss$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# Name service +option = enum_cache_timeout +option = entry_cache_nowait_percentage +option = entry_negative_timeout +option = local_negative_timeout +option = filter_users +option = filter_groups +option = filter_users_in_groups +option = pwfield +option = override_homedir +option = fallback_homedir +option = homedir_substring +option = override_shell +option = allowed_shells +option = vetoed_shells +option = shell_fallback +option = default_shell +option = get_domains_timeout +option = memcache_timeout +option = override_space + +[rule/allowed_pam_options] +validator = ini_allowed_options +section_re = ^pam$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# Authentication service +option = offline_credentials_expiration +option = offline_failed_login_attempts +option = offline_failed_login_delay +option = pam_verbosity +option = pam_id_timeout +option = pam_pwd_expiration_warning +option = get_domains_timeout +option = pam_trusted_users +option = pam_public_domains +option = pam_account_expired_message +option = pam_account_locked_message +option = pam_cert_auth +option = pam_cert_db_path +option = p11_child_timeout + +[rule/allowed_sudo_options] +validator = ini_allowed_options +section_re = ^sudo$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# sudo service +option = sudo_timed +option = sudo_inverse_order + +[rule/allowed_autofs_options] +validator = ini_allowed_options +section_re = ^autofs$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# autofs service +option = autofs_negative_timeout + +[rule/allowed_ssh_options] +validator = ini_allowed_options +section_re = ^ssh$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# ssh service +option = ssh_hash_known_hosts +option = ssh_known_hosts_timeout +option = ca_db + +[rule/allowed_pac_options] +validator = ini_allowed_options +section_re = ^pac$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# PAC responder +option = allowed_uids +option = user_attributes +option = pac_lifetime + +[rule/allowed_ifp_options] +validator = ini_allowed_options +section_re = ^ifp$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +# InfoPipe responder +option = allowed_uids +option = user_attributes + +[rule/allowed_domain_options] +validator = ini_allowed_options +section_re = ^domain/.*$ + +option = debug +option = debug_level +option = debug_timestamps +option = debug_microseconds +option = debug_to_files +option = command +option = reconnection_retries +option = fd_limit +option = client_idle_timeout +option = force_timeout +option = description +option = diag_cmd + +#Available provider types +option = id_provider +option = auth_provider +option = access_provider +option = chpass_provider +option = sudo_provider +option = autofs_provider +option = session_provider +option = hostid_provider +option = subdomains_provider + +# Options available to all domains +option = min_id +option = max_id +option = timeout +option = try_inotify +option = enumerate +option = subdomain_enumerate +option = force_timeout +option = offline_timeout +option = cache_credentials +option = cache_credentials_minimal_first_factor_length +option = store_legacy_passwords +option = use_fully_qualified_names +option = ignore_group_members +option = entry_cache_timeout +option = lookup_family_order +option = account_cache_expiration +option = pwd_expiration_warning +option = filter_users +option = filter_groups +option = dns_resolver_timeout +option = dns_discovery_domain +option = override_gid +option = case_sensitive +option = override_homedir +option = fallback_homedir +option = homedir_substring +option = override_shell +option = default_shell +option = description +option = realmd_tags +option = subdomain_refresh_interval +option = subdomain_inherit +option = cached_auth_timeout +option = wildcard_limit + +#Entry cache timeouts +option = entry_cache_user_timeout +option = entry_cache_group_timeout +option = entry_cache_netgroup_timeout +option = entry_cache_service_timeout +option = entry_cache_autofs_timeout +option = entry_cache_sudo_timeout +option = entry_cache_ssh_host_timeout +option = refresh_expired_interval + +# Dynamic DNS updates +option = dyndns_update +option = dyndns_ttl +option = dyndns_iface +option = dyndns_refresh_interval +option = dyndns_update_ptr +option = dyndns_force_tcp +option = dyndns_auth +option = dyndns_server + +# local provider specific options +option = create_homedir +option = remove_homedir +option = homedir_umask +option = skel_dir +option = mail_dir +option = userdel_cmd +option = base_directory + +# proxy provider specific options +option = proxy_lib_name +option = proxy_fast_alias +option = proxy_pam_target + +# simple access provider specific options +option = simple_allow_users +option = simple_deny_users +option = simple_allow_groups +option = simple_deny_groups + +# AD provider specific options +option = ad_access_filter +option = ad_backup_server +option = ad_domain +option = ad_enable_dns_sites +option = ad_enable_gc +option = ad_gpo_access_control +option = ad_gpo_cache_timeout +option = ad_gpo_default_right +option = ad_gpo_map_batch +option = ad_gpo_map_deny +option = ad_gpo_map_interactive +option = ad_gpo_map_network +option = ad_gpo_map_permit +option = ad_gpo_map_remote_interactive +option = ad_gpo_map_service +option = ad_hostname +option = ad_machine_account_password_renewal_opts +option = ad_maximum_machine_account_password_age +option = ad_server +option = ad_site + +# IPA provider specific options +option = ipa_anchor_uuid +option = ipa_automount_location +option = ipa_backup_server +option = ipa_domain +option = ipa_dyndns_iface +option = ipa_dyndns_ttl +option = ipa_dyndns_update +option = ipa_enable_dns_sites +option = ipa_group_override_object_class +option = ipa_hbac_refresh +option = ipa_hbac_search_base +option = ipa_hbac_support_srchost +option = ipa_host_fqdn +option = ipa_hostgroup_memberof +option = ipa_hostgroup_member +option = ipa_hostgroup_name +option = ipa_hostgroup_objectclass +option = ipa_hostgroup_uuid +option = ipa_host_member_of +option = ipa_host_name +option = ipa_hostname +option = ipa_host_object_class +option = ipa_host_search_base +option = ipa_host_serverhostname +option = ipa_host_ssh_public_key +option = ipa_host_uuid +option = ipa_master_domain_search_base +option = ipa_netgroup_domain +option = ipa_netgroup_member_ext_host +option = ipa_netgroup_member_host +option = ipa_netgroup_member_of +option = ipa_netgroup_member +option = ipa_netgroup_member_user +option = ipa_netgroup_name +option = ipa_netgroup_object_class +option = ipa_netgroup_uuid +option = ipa_overide_object_class +option = ipa_ranges_search_base +option = ipa_selinux_refresh +option = ipa_selinux_usermap_enabled +option = ipa_selinux_usermap_host_category +option = ipa_selinux_usermap_member_host +option = ipa_selinux_usermap_member_user +option = ipa_selinux_usermap_name +option = ipa_selinux_usermap_object_class +option = ipa_selinux_usermap_see_also +option = ipa_selinux_usermap_selinux_user +option = ipa_selinux_usermap_user_category +option = ipa_selinux_usermap_uuid +option = ipa_server_mode +option = ipa_server +option = ipa_subdomains_search_base +option = ipa_sudocmdgroup_entry_usn +option = ipa_sudocmdgroup_member +option = ipa_sudocmdgroup_name +option = ipa_sudocmdgroup_object_class +option = ipa_sudocmdgroup_uuid +option = ipa_sudocmd_memberof +option = ipa_sudocmd_object_class +option = ipa_sudocmd_sudoCmd +option = ipa_sudocmd_uuid +option = ipa_sudorule_allowcmd +option = ipa_sudorule_cmdcategory +option = ipa_sudorule_denycmd +option = ipa_sudorule_enabled_flag +option = ipa_sudorule_entry_usn +option = ipa_sudorule_externaluser +option = ipa_sudorule_hostcategory +option = ipa_sudorule_host +option = ipa_sudorule_name +option = ipa_sudorule_notafter +option = ipa_sudorule_notbefore +option = ipa_sudorule_object_class +option = ipa_sudorule_option +option = ipa_sudorule_runasextgroup +option = ipa_sudorule_runasextusergroup +option = ipa_sudorule_runasextuser +option = ipa_sudorule_runasgroupcategory +option = ipa_sudorule_runasgroup +option = ipa_sudorule_runasusercategory +option = ipa_sudorule_sudoorder +option = ipa_sudorule_usercategory +option = ipa_sudorule_user +option = ipa_sudorule_uuid +option = ipa_user_override_object_class +option = ipa_view_class +option = ipa_view_name +option = ipa_views_search_base + +# krb5 provider specific options +option = krb5_auth_timeout +option = krb5_backup_kpasswd +option = krb5_backup_server +option = krb5_canonicalize +option = krb5_ccachedir +option = krb5_ccname_template +option = krb5_confd_path +option = krb5_fast_principal +option = krb5_kdcip +option = krb5_keytab +option = krb5_kpasswd +option = krb5_lifetime +option = krb5_map_user +option = krb5_realm +option = krb5_realm +option = krb5_renewable_lifetime +option = krb5_renew_interval +option = krb5_server +option = krb5_store_password_if_offline +option = krb5_use_enterprise_principal +option = krb5_use_fast +option = krb5_use_kdcinfo +option = krb5_validate + +# ldap provider specific options +option = ldap_access_filter +option = ldap_access_order +option = ldap_account_expire_policy +option = ldap_autofs_entry_key +option = ldap_autofs_entry_object_class +option = ldap_autofs_entry_value +option = ldap_autofs_map_master_name +option = ldap_autofs_map_name +option = ldap_autofs_map_object_class +option = ldap_autofs_search_base +option = ldap_backup_uri +option = ldap_chpass_backup_uri +option = ldap_chpass_dns_service_name +option = ldap_chpass_update_last_change +option = ldap_chpass_uri +option = ldap_connection_expire_timeout +option = ldap_default_authtok +option = ldap_default_authtok_type +option = ldap_default_bind_dn +option = ldap_deref +option = ldap_deref_threshold +option = ldap_disable_paging +option = ldap_disable_range_retrieval +option = ldap_dns_service_name +option = ldap_entry_usn +option = ldap_enumeration_refresh_timeout +option = ldap_enumeration_search_timeout +option = ldap_force_upper_case_realm +option = ldap_group_entry_usn +option = ldap_group_external_member +option = ldap_group_gid_number +option = ldap_group_member +option = ldap_group_modify_timestamp +option = ldap_group_name +option = ldap_group_nesting_level +option = ldap_group_object_class +option = ldap_group_objectsid +option = ldap_group_search_base +option = ldap_group_search_filter +option = ldap_group_search_scope +option = ldap_groups_use_matching_rule_in_chain +option = ldap_group_type +option = ldap_group_uuid +option = ldap_idmap_autorid_compat +option = ldap_idmap_default_domain_sid +option = ldap_idmap_default_domain +option = ldap_idmap_helper_table_size +option = ldap_id_mapping +option = ldap_idmap_range_max +option = ldap_idmap_range_min +option = ldap_idmap_range_size +option = ldap_id_use_start_tls +option = ldap_initgroups_use_matching_rule_in_chain +option = ldap_krb5_init_creds +option = ldap_krb5_keytab +option = ldap_krb5_ticket_lifetime +option = ldap_max_id +option = ldap_min_id +option = ldap_netgroup_member +option = ldap_netgroup_modify_timestamp +option = ldap_netgroup_name +option = ldap_netgroup_object_class +option = ldap_netgroup_search_base +option = ldap_netgroup_triple +option = ldap_network_timeout +option = ldap_ns_account_lock +option = ldap_offline_timeout +option = ldap_opt_timeout +option = ldap_page_size +option = ldap_purge_cache_timeout +option = ldap_pwd_attribute +option = ldap_pwdlockout_dn +option = ldap_pwd_policy +option = ldap_referrals +option = ldap_rfc2307_fallback_to_local_users +option = ldap_rootdse_last_usn +option = ldap_sasl_authid +option = ldap_sasl_canonicalize +option = ldap_sasl_mech +option = ldap_sasl_minssf +option = ldap_schema +option = ldap_search_base +option = ldap_search_timeout +option = ldap_service_entry_usn +option = ldap_service_name +option = ldap_service_object_class +option = ldap_service_port +option = ldap_service_proto +option = ldap_service_search_base +option = ldap_sudo_full_refresh_interval +option = ldap_sudo_hostnames +option = ldap_sudo_include_netgroups +option = ldap_sudo_include_regexp +option = ldap_sudo_ip +option = ldap_sudorule_command +option = ldap_sudorule_host +option = ldap_sudorule_name +option = ldap_sudorule_notafter +option = ldap_sudorule_notbefore +option = ldap_sudorule_object_class +option = ldap_sudorule_option +option = ldap_sudorule_order +option = ldap_sudorule_runasgroup +option = ldap_sudorule_runas +option = ldap_sudorule_runasuser +option = ldap_sudorule_user +option = ldap_sudo_search_base +option = ldap_sudo_smart_refresh_interval +option = ldap_sudo_use_host_filter +option = ldap_tls_cacertdir +option = ldap_tls_cacert +option = ldap_tls_cert +option = ldap_tls_cipher_suite +option = ldap_tls_key +option = ldap_tls_reqcert +option = ldap_uri +option = ldap_user_ad_account_expires +option = ldap_user_ad_user_account_control +option = ldap_user_authorized_host +option = ldap_user_authorized_service +option = ldap_user_auth_type +option = ldap_user_certificate +option = ldap_user_entry_usn +option = ldap_user_extra_attrs +option = ldap_user_fullname +option = ldap_user_gecos +option = ldap_user_gid_number +option = ldap_user_home_directory +option = ldap_user_krb_last_pwd_change +option = ldap_user_krb_password_expiration +option = ldap_user_member_of +option = ldap_user_modify_timestamp +option = ldap_user_name +option = ldap_user_nds_login_allowed_time_map +option = ldap_user_nds_login_disabled +option = ldap_user_nds_login_expiration_time +option = ldap_user_object_class +option = ldap_user_objectsid +option = ldap_user_primary_group +option = ldap_user_principal +option = ldap_user_search_base +option = ldap_user_search_filter +option = ldap_user_search_scope +option = ldap_user_shadow_expire +option = ldap_user_shadow_flag +option = ldap_user_shadow_inactive +option = ldap_user_shadow_last_change +option = ldap_user_shadow_max +option = ldap_user_shadow_min +option = ldap_user_shadow_warning +option = ldap_user_shell +option = ldap_user_ssh_public_key +option = ldap_user_uid_number +option = ldap_user_uuid +option = ldap_use_tokengroups -- 2.7.4
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
