On 06/23/2016 10:22 PM, Jakub Hrozek wrote:
On Thu, Jun 23, 2016 at 10:19:49PM +0200, Michal Židek wrote:
On 06/23/2016 10:17 PM, Jakub Hrozek wrote:
On Thu, Jun 23, 2016 at 10:12:21PM +0200, Michal Židek wrote:
On 06/23/2016 10:08 PM, Jakub Hrozek wrote:
On Thu, Jun 23, 2016 at 11:10:57AM +0200, Lukas Slebodnik wrote:
@@ -217,6 +216,14 @@ int confdb_init_db(const char *config_file, const char
*config_dir,
goto done;
}
+ /* FIXME: Do not hardcode the path */
+ ret = sss_ini_call_validators(init_data,
+ "/var/lib/sss/cfg_rules.ini");
Why can't we use localstatedir here instead of hardcoding /var?
It is fixed in the second second patch. Together with
some build system changes.
ah, OK.
Btw the FIXME was not removed because it can be
made configurable via command line option in the
future.
But I think we will never do it, so the FIXME
line can probably be removed as well.
Should I send a new patch without the FIXME?
Yes please, can you also submit it to CI?
Pushed to CI.
http://sssd-ci.idm.lab.eng.brq.redhat.com:8080/job/ci/4601/
Michal
>From 016a93e6772e8e95b1aa8baeacbc22487084fc57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
Date: Wed, 22 Jun 2016 19:11:42 +0200
Subject: [PATCH 1/3] confdb: Check for config file errors on sssd startup
Resolves:
https://fedorahosted.org/sssd/ticket/2028
Signed-off-by: Lukas Slebodnik <lsleb...@redhat.com>
---
src/confdb/confdb.c | 2 +-
src/confdb/confdb.h | 2 +-
src/confdb/confdb_setup.c | 9 ++++++++-
src/util/sss_ini.c | 49 +++++++++++++++++++++++++++++++++++++++++++++--
src/util/sss_ini.h | 4 ++++
5 files changed, 61 insertions(+), 5 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index d409344..b99c6cf 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1,7 +1,7 @@
/*
SSSD
- NSS Configuratoin DB
+ SSSD Configuration DB
Copyright (C) Simo Sorce <sso...@redhat.com> 2008
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2cd75b9..eb5764c 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -1,7 +1,7 @@
/*
SSSD
- NSS Configuratoin DB
+ SSSD Configuration DB
Copyright (C) Simo Sorce <sso...@redhat.com> 2008
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
index b17a34b..e3d1fc5 100644
--- a/src/confdb/confdb_setup.c
+++ b/src/confdb/confdb_setup.c
@@ -141,7 +141,6 @@ int confdb_init_db(const char *config_file, const char *config_dir,
struct ldb_ldif *ldif;
struct sss_ini_initdata *init_data;
-
tmp_ctx = talloc_new(cdb);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
@@ -217,6 +216,14 @@ int confdb_init_db(const char *config_file, const char *config_dir,
goto done;
}
+ /* FIXME: Do not hardcode the path */
+ ret = sss_ini_call_validators(init_data,
+ "/var/lib/sss/cfg_rules.ini");
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to call validators\n");
+ /* This is not fatal, continue */
+ }
+
/* Make sure that the config file version matches the confdb version */
ret = sss_ini_get_cfgobj(init_data, "sssd", "config_file_version");
if (ret != EOK) {
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index 75f8418..8ae277b 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -60,8 +60,6 @@ struct sss_ini_initdata {
#define sss_ini_get_const_string_config_value ini_get_const_string_config_value
#define sss_ini_get_config_obj ini_get_config_valueobj
-
-
#else
struct sss_ini_initdata {
@@ -552,3 +550,50 @@ error:
talloc_free(ldif);
return ret;
}
+
+int sss_ini_call_validators(struct sss_ini_initdata *data,
+ const char *rules_path)
+{
+#ifdef HAVE_LIBINI_CONFIG_V1_3
+ int ret;
+ struct ini_cfgobj *rules_cfgobj = NULL;
+ struct ini_errobj *errobj = NULL;
+
+ ret = ini_errobj_create(&errobj);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to create error list\n");
+ goto done;
+ }
+
+ ret = ini_rules_read_from_file(rules_path, &rules_cfgobj);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to read sssd.conf schema %d [%s]\n", ret, strerror(ret));
+ goto done;
+ }
+
+ ret = ini_rules_check(rules_cfgobj, data->sssd_config, NULL, errobj);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "ini_rules_check failed %d [%s]\n", ret, strerror(ret));
+ goto done;
+ }
+
+ /* Do not error out when validators find some issue */
+ while (!ini_errobj_no_more_msgs(errobj)) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "%s\n", ini_errobj_get_msg(errobj));
+ ini_errobj_next(errobj);
+ }
+
+done:
+ if (rules_cfgobj) ini_config_destroy(rules_cfgobj);
+ ini_errobj_destroy(&errobj);
+
+ return ret;
+#else
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "libini_config does not support configuration file validataion\n");
+ return EOK;
+#endif /* HAVE_LIBINI_CONFIG_V1_3 */
+}
diff --git a/src/util/sss_ini.h b/src/util/sss_ini.h
index f5b36de..7734bab 100644
--- a/src/util/sss_ini.h
+++ b/src/util/sss_ini.h
@@ -79,4 +79,8 @@ int sss_confdb_create_ldif(TALLOC_CTX *mem_ctx,
struct sss_ini_initdata *init_data,
const char **config_ldif);
+/* Validate sssd.conf if libini_config support it */
+int sss_ini_call_validators(struct sss_ini_initdata *data,
+ const char *rules_path);
+
#endif /* __SSS_INI_H__ */
--
2.5.0
>From 06b42667ab36f903b002eed16d22718b2d686b3f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Thu, 23 Jun 2016 08:52:18 +0200
Subject: [PATCH 2/3] Prepare ini schema with rules for validation
Resolves:
https://fedorahosted.org/sssd/ticket/2028
---
Makefile.am | 5 +-
contrib/sssd.spec.in | 1 +
src/confdb/confdb_setup.c | 3 +-
src/config/cfg_rules.ini | 615 ++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 621 insertions(+), 3 deletions(-)
create mode 100644 src/config/cfg_rules.ini
diff --git a/Makefile.am b/Makefile.am
index a75b90d..6821b73 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -452,6 +452,7 @@ AM_CPPFLAGS = \
-DSSS_STATEDIR=\"$(sss_statedir)\" \
-DSYSCONFDIR=\"$(sysconfdir)\" \
-DSHLIBEXT=\"$(SHLIBEXT)\" \
+ -DSSSDDATADIR=\"$(sssddatadir)\" \
-DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \
-DSSSD_CONF_DIR=\"$(sssdconfdir)\" \
-DSSSD_DEFAULT_CONF_DIR=\"$(sssddefaultconfdir)\" \
@@ -3775,7 +3776,9 @@ endif
dist_sssddata_DATA = \
- src/config/etc/sssd.api.conf
+ src/config/etc/sssd.api.conf \
+ src/config/cfg_rules.ini \
+ $(NULL)
dist_sssdapiplugin_DATA = \
src/config/etc/sssd.api.d/sssd-ipa.conf \
src/config/etc/sssd.api.d/sssd-ad.conf \
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 37d5ace..9ba92cf 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -795,6 +795,7 @@ done
%{_sysconfdir}/pam.d/sssd-shadowutils
%{_libdir}/%{name}/conf/sssd.conf
+%{_datadir}/sssd/cfg_rules.ini
%{_datadir}/sssd/sssd.api.conf
%{_datadir}/sssd/sssd.api.d
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
index e3d1fc5..34c3f37 100644
--- a/src/confdb/confdb_setup.c
+++ b/src/confdb/confdb_setup.c
@@ -216,9 +216,8 @@ int confdb_init_db(const char *config_file, const char *config_dir,
goto done;
}
- /* FIXME: Do not hardcode the path */
ret = sss_ini_call_validators(init_data,
- "/var/lib/sss/cfg_rules.ini");
+ SSSDDATADIR"/cfg_rules.ini");
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to call validators\n");
/* This is not fatal, continue */
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
new file mode 100644
index 0000000..d738ddf
--- /dev/null
+++ b/src/config/cfg_rules.ini
@@ -0,0 +1,615 @@
+[rule/allowed_sections]
+validator = ini_allowed_sections
+section = sssd
+section = nss
+section = pam
+section = sudo
+section = autofs
+section = ssh
+section = pac
+section = ifp
+section_re = ^domain/.*$
+
+[rule/allowed_sssd_options]
+validator = ini_allowed_options
+section_re = ^sssd$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# Monitor service
+option = services
+option = domains
+option = timeout
+option = sbus_timeout
+option = re_expression
+option = full_name_format
+option = krb5_rcache_dir
+option = user
+option = default_domain_suffix
+option = certificate_verification
+
+[rule/allowed_nss_options]
+validator = ini_allowed_options
+section_re = ^nss$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# Name service
+option = enum_cache_timeout
+option = entry_cache_nowait_percentage
+option = entry_negative_timeout
+option = local_negative_timeout
+option = filter_users
+option = filter_groups
+option = filter_users_in_groups
+option = pwfield
+option = override_homedir
+option = fallback_homedir
+option = homedir_substring
+option = override_shell
+option = allowed_shells
+option = vetoed_shells
+option = shell_fallback
+option = default_shell
+option = get_domains_timeout
+option = memcache_timeout
+option = override_space
+
+[rule/allowed_pam_options]
+validator = ini_allowed_options
+section_re = ^pam$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# Authentication service
+option = offline_credentials_expiration
+option = offline_failed_login_attempts
+option = offline_failed_login_delay
+option = pam_verbosity
+option = pam_id_timeout
+option = pam_pwd_expiration_warning
+option = get_domains_timeout
+option = pam_trusted_users
+option = pam_public_domains
+option = pam_account_expired_message
+option = pam_account_locked_message
+option = pam_cert_auth
+option = pam_cert_db_path
+option = p11_child_timeout
+
+[rule/allowed_sudo_options]
+validator = ini_allowed_options
+section_re = ^sudo$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# sudo service
+option = sudo_timed
+option = sudo_inverse_order
+
+[rule/allowed_autofs_options]
+validator = ini_allowed_options
+section_re = ^autofs$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# autofs service
+option = autofs_negative_timeout
+
+[rule/allowed_ssh_options]
+validator = ini_allowed_options
+section_re = ^ssh$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# ssh service
+option = ssh_hash_known_hosts
+option = ssh_known_hosts_timeout
+option = ca_db
+
+[rule/allowed_pac_options]
+validator = ini_allowed_options
+section_re = ^pac$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# PAC responder
+option = allowed_uids
+option = user_attributes
+option = pac_lifetime
+
+[rule/allowed_ifp_options]
+validator = ini_allowed_options
+section_re = ^ifp$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# InfoPipe responder
+option = allowed_uids
+option = user_attributes
+
+[rule/allowed_domain_options]
+validator = ini_allowed_options
+section_re = ^domain/.*$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+#Available provider types
+option = id_provider
+option = auth_provider
+option = access_provider
+option = chpass_provider
+option = sudo_provider
+option = autofs_provider
+option = session_provider
+option = hostid_provider
+option = subdomains_provider
+
+# Options available to all domains
+option = min_id
+option = max_id
+option = timeout
+option = try_inotify
+option = enumerate
+option = subdomain_enumerate
+option = force_timeout
+option = offline_timeout
+option = cache_credentials
+option = cache_credentials_minimal_first_factor_length
+option = store_legacy_passwords
+option = use_fully_qualified_names
+option = ignore_group_members
+option = entry_cache_timeout
+option = lookup_family_order
+option = account_cache_expiration
+option = pwd_expiration_warning
+option = filter_users
+option = filter_groups
+option = dns_resolver_timeout
+option = dns_discovery_domain
+option = override_gid
+option = case_sensitive
+option = override_homedir
+option = fallback_homedir
+option = homedir_substring
+option = override_shell
+option = default_shell
+option = description
+option = realmd_tags
+option = subdomain_refresh_interval
+option = subdomain_inherit
+option = cached_auth_timeout
+option = wildcard_limit
+
+#Entry cache timeouts
+option = entry_cache_user_timeout
+option = entry_cache_group_timeout
+option = entry_cache_netgroup_timeout
+option = entry_cache_service_timeout
+option = entry_cache_autofs_timeout
+option = entry_cache_sudo_timeout
+option = entry_cache_ssh_host_timeout
+option = refresh_expired_interval
+
+# Dynamic DNS updates
+option = dyndns_update
+option = dyndns_ttl
+option = dyndns_iface
+option = dyndns_refresh_interval
+option = dyndns_update_ptr
+option = dyndns_force_tcp
+option = dyndns_auth
+option = dyndns_server
+
+# local provider specific options
+option = create_homedir
+option = remove_homedir
+option = homedir_umask
+option = skel_dir
+option = mail_dir
+option = userdel_cmd
+option = base_directory
+
+# proxy provider specific options
+option = proxy_lib_name
+option = proxy_fast_alias
+option = proxy_pam_target
+
+# simple access provider specific options
+option = simple_allow_users
+option = simple_deny_users
+option = simple_allow_groups
+option = simple_deny_groups
+
+# AD provider specific options
+option = ad_access_filter
+option = ad_backup_server
+option = ad_domain
+option = ad_enable_dns_sites
+option = ad_enable_gc
+option = ad_gpo_access_control
+option = ad_gpo_cache_timeout
+option = ad_gpo_default_right
+option = ad_gpo_map_batch
+option = ad_gpo_map_deny
+option = ad_gpo_map_interactive
+option = ad_gpo_map_network
+option = ad_gpo_map_permit
+option = ad_gpo_map_remote_interactive
+option = ad_gpo_map_service
+option = ad_hostname
+option = ad_machine_account_password_renewal_opts
+option = ad_maximum_machine_account_password_age
+option = ad_server
+option = ad_site
+
+# IPA provider specific options
+option = ipa_anchor_uuid
+option = ipa_automount_location
+option = ipa_backup_server
+option = ipa_domain
+option = ipa_dyndns_iface
+option = ipa_dyndns_ttl
+option = ipa_dyndns_update
+option = ipa_enable_dns_sites
+option = ipa_group_override_object_class
+option = ipa_hbac_refresh
+option = ipa_hbac_search_base
+option = ipa_hbac_support_srchost
+option = ipa_host_fqdn
+option = ipa_hostgroup_memberof
+option = ipa_hostgroup_member
+option = ipa_hostgroup_name
+option = ipa_hostgroup_objectclass
+option = ipa_hostgroup_uuid
+option = ipa_host_member_of
+option = ipa_host_name
+option = ipa_hostname
+option = ipa_host_object_class
+option = ipa_host_search_base
+option = ipa_host_serverhostname
+option = ipa_host_ssh_public_key
+option = ipa_host_uuid
+option = ipa_master_domain_search_base
+option = ipa_netgroup_domain
+option = ipa_netgroup_member_ext_host
+option = ipa_netgroup_member_host
+option = ipa_netgroup_member_of
+option = ipa_netgroup_member
+option = ipa_netgroup_member_user
+option = ipa_netgroup_name
+option = ipa_netgroup_object_class
+option = ipa_netgroup_uuid
+option = ipa_overide_object_class
+option = ipa_ranges_search_base
+option = ipa_selinux_refresh
+option = ipa_selinux_usermap_enabled
+option = ipa_selinux_usermap_host_category
+option = ipa_selinux_usermap_member_host
+option = ipa_selinux_usermap_member_user
+option = ipa_selinux_usermap_name
+option = ipa_selinux_usermap_object_class
+option = ipa_selinux_usermap_see_also
+option = ipa_selinux_usermap_selinux_user
+option = ipa_selinux_usermap_user_category
+option = ipa_selinux_usermap_uuid
+option = ipa_server_mode
+option = ipa_server
+option = ipa_subdomains_search_base
+option = ipa_sudocmdgroup_entry_usn
+option = ipa_sudocmdgroup_member
+option = ipa_sudocmdgroup_name
+option = ipa_sudocmdgroup_object_class
+option = ipa_sudocmdgroup_uuid
+option = ipa_sudocmd_memberof
+option = ipa_sudocmd_object_class
+option = ipa_sudocmd_sudoCmd
+option = ipa_sudocmd_uuid
+option = ipa_sudorule_allowcmd
+option = ipa_sudorule_cmdcategory
+option = ipa_sudorule_denycmd
+option = ipa_sudorule_enabled_flag
+option = ipa_sudorule_entry_usn
+option = ipa_sudorule_externaluser
+option = ipa_sudorule_hostcategory
+option = ipa_sudorule_host
+option = ipa_sudorule_name
+option = ipa_sudorule_notafter
+option = ipa_sudorule_notbefore
+option = ipa_sudorule_object_class
+option = ipa_sudorule_option
+option = ipa_sudorule_runasextgroup
+option = ipa_sudorule_runasextusergroup
+option = ipa_sudorule_runasextuser
+option = ipa_sudorule_runasgroupcategory
+option = ipa_sudorule_runasgroup
+option = ipa_sudorule_runasusercategory
+option = ipa_sudorule_sudoorder
+option = ipa_sudorule_usercategory
+option = ipa_sudorule_user
+option = ipa_sudorule_uuid
+option = ipa_user_override_object_class
+option = ipa_view_class
+option = ipa_view_name
+option = ipa_views_search_base
+
+# krb5 provider specific options
+option = krb5_auth_timeout
+option = krb5_backup_kpasswd
+option = krb5_backup_server
+option = krb5_canonicalize
+option = krb5_ccachedir
+option = krb5_ccname_template
+option = krb5_confd_path
+option = krb5_fast_principal
+option = krb5_kdcip
+option = krb5_keytab
+option = krb5_kpasswd
+option = krb5_lifetime
+option = krb5_map_user
+option = krb5_realm
+option = krb5_realm
+option = krb5_renewable_lifetime
+option = krb5_renew_interval
+option = krb5_server
+option = krb5_store_password_if_offline
+option = krb5_use_enterprise_principal
+option = krb5_use_fast
+option = krb5_use_kdcinfo
+option = krb5_validate
+
+# ldap provider specific options
+option = ldap_access_filter
+option = ldap_access_order
+option = ldap_account_expire_policy
+option = ldap_autofs_entry_key
+option = ldap_autofs_entry_object_class
+option = ldap_autofs_entry_value
+option = ldap_autofs_map_master_name
+option = ldap_autofs_map_name
+option = ldap_autofs_map_object_class
+option = ldap_autofs_search_base
+option = ldap_backup_uri
+option = ldap_chpass_backup_uri
+option = ldap_chpass_dns_service_name
+option = ldap_chpass_update_last_change
+option = ldap_chpass_uri
+option = ldap_connection_expire_timeout
+option = ldap_default_authtok
+option = ldap_default_authtok_type
+option = ldap_default_bind_dn
+option = ldap_deref
+option = ldap_deref_threshold
+option = ldap_disable_paging
+option = ldap_disable_range_retrieval
+option = ldap_dns_service_name
+option = ldap_entry_usn
+option = ldap_enumeration_refresh_timeout
+option = ldap_enumeration_search_timeout
+option = ldap_force_upper_case_realm
+option = ldap_group_entry_usn
+option = ldap_group_external_member
+option = ldap_group_gid_number
+option = ldap_group_member
+option = ldap_group_modify_timestamp
+option = ldap_group_name
+option = ldap_group_nesting_level
+option = ldap_group_object_class
+option = ldap_group_objectsid
+option = ldap_group_search_base
+option = ldap_group_search_filter
+option = ldap_group_search_scope
+option = ldap_groups_use_matching_rule_in_chain
+option = ldap_group_type
+option = ldap_group_uuid
+option = ldap_idmap_autorid_compat
+option = ldap_idmap_default_domain_sid
+option = ldap_idmap_default_domain
+option = ldap_idmap_helper_table_size
+option = ldap_id_mapping
+option = ldap_idmap_range_max
+option = ldap_idmap_range_min
+option = ldap_idmap_range_size
+option = ldap_id_use_start_tls
+option = ldap_initgroups_use_matching_rule_in_chain
+option = ldap_krb5_init_creds
+option = ldap_krb5_keytab
+option = ldap_krb5_ticket_lifetime
+option = ldap_max_id
+option = ldap_min_id
+option = ldap_netgroup_member
+option = ldap_netgroup_modify_timestamp
+option = ldap_netgroup_name
+option = ldap_netgroup_object_class
+option = ldap_netgroup_search_base
+option = ldap_netgroup_triple
+option = ldap_network_timeout
+option = ldap_ns_account_lock
+option = ldap_offline_timeout
+option = ldap_opt_timeout
+option = ldap_page_size
+option = ldap_purge_cache_timeout
+option = ldap_pwd_attribute
+option = ldap_pwdlockout_dn
+option = ldap_pwd_policy
+option = ldap_referrals
+option = ldap_rfc2307_fallback_to_local_users
+option = ldap_rootdse_last_usn
+option = ldap_sasl_authid
+option = ldap_sasl_canonicalize
+option = ldap_sasl_mech
+option = ldap_sasl_minssf
+option = ldap_schema
+option = ldap_search_base
+option = ldap_search_timeout
+option = ldap_service_entry_usn
+option = ldap_service_name
+option = ldap_service_object_class
+option = ldap_service_port
+option = ldap_service_proto
+option = ldap_service_search_base
+option = ldap_sudo_full_refresh_interval
+option = ldap_sudo_hostnames
+option = ldap_sudo_include_netgroups
+option = ldap_sudo_include_regexp
+option = ldap_sudo_ip
+option = ldap_sudorule_command
+option = ldap_sudorule_host
+option = ldap_sudorule_name
+option = ldap_sudorule_notafter
+option = ldap_sudorule_notbefore
+option = ldap_sudorule_object_class
+option = ldap_sudorule_option
+option = ldap_sudorule_order
+option = ldap_sudorule_runasgroup
+option = ldap_sudorule_runas
+option = ldap_sudorule_runasuser
+option = ldap_sudorule_user
+option = ldap_sudo_search_base
+option = ldap_sudo_smart_refresh_interval
+option = ldap_sudo_use_host_filter
+option = ldap_tls_cacertdir
+option = ldap_tls_cacert
+option = ldap_tls_cert
+option = ldap_tls_cipher_suite
+option = ldap_tls_key
+option = ldap_tls_reqcert
+option = ldap_uri
+option = ldap_user_ad_account_expires
+option = ldap_user_ad_user_account_control
+option = ldap_user_authorized_host
+option = ldap_user_authorized_service
+option = ldap_user_auth_type
+option = ldap_user_certificate
+option = ldap_user_entry_usn
+option = ldap_user_extra_attrs
+option = ldap_user_fullname
+option = ldap_user_gecos
+option = ldap_user_gid_number
+option = ldap_user_home_directory
+option = ldap_user_krb_last_pwd_change
+option = ldap_user_krb_password_expiration
+option = ldap_user_member_of
+option = ldap_user_modify_timestamp
+option = ldap_user_name
+option = ldap_user_nds_login_allowed_time_map
+option = ldap_user_nds_login_disabled
+option = ldap_user_nds_login_expiration_time
+option = ldap_user_object_class
+option = ldap_user_objectsid
+option = ldap_user_primary_group
+option = ldap_user_principal
+option = ldap_user_search_base
+option = ldap_user_search_filter
+option = ldap_user_search_scope
+option = ldap_user_shadow_expire
+option = ldap_user_shadow_flag
+option = ldap_user_shadow_inactive
+option = ldap_user_shadow_last_change
+option = ldap_user_shadow_max
+option = ldap_user_shadow_min
+option = ldap_user_shadow_warning
+option = ldap_user_shell
+option = ldap_user_ssh_public_key
+option = ldap_user_uid_number
+option = ldap_user_uuid
+option = ldap_use_tokengroups
--
2.5.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
