Mini Shell
import sys
import gettext
PACKAGE = 'sss_daemon'
LOCALEDIR = '/usr/share/locale'
translation = gettext.translation(PACKAGE, LOCALEDIR, fallback=True)
if sys.version_info[0] > 2:
_ = translation.gettext
else:
_ = translation.ugettext
class SSSDOptions(object):
def __init__(self):
pass
option_strings = {
# [service]
'debug': _('Set the verbosity of the debug logging'),
'debug_level': _('Set the verbosity of the debug logging'),
'debug_timestamps': _('Include timestamps in debug logs'),
'debug_microseconds': _('Include microseconds in timestamps in debug logs'),
'debug_backtrace_enabled': _('Enable/disable debug backtrace'),
'timeout': _('Watchdog timeout before restarting service'),
'command': _('Command to start service'),
'reconnection_retries': _('Number of times to attempt connection to Data Providers'),
'fd_limit': _('The number of file descriptors that may be opened by this responder'),
'client_idle_timeout': _('Idle time before automatic disconnection of a client'),
'responder_idle_timeout': _('Idle time before automatic shutdown of the responder'),
'cache_first': _('Always query all the caches before querying the Data Providers'),
'offline_timeout': _('When SSSD switches to offline mode the amount of time before it tries to go back online '
'will increase based upon the time spent disconnected. This value is in seconds and '
'calculated by the following: offline_timeout + random_offset.'),
# [sssd]
'config_file_version': _(
'Indicates what is the syntax of the config file. SSSD 0.6.0 and later use version 2.'),
'services': _('SSSD Services to start'),
'domains': _('SSSD Domains to start'),
're_expression': _('Regex to parse username and domain'),
'full_name_format': _('Printf-compatible format for displaying fully-qualified names'),
'krb5_rcache_dir': _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
'default_domain_suffix': _('Domain to add to names without a domain component.'),
'user': _('The user to drop privileges to'),
'certificate_verification': _('Tune certificate verification'),
'override_space': _('All spaces in group or user names will be replaced with this character'),
'disable_netlink': _('Tune sssd to honor or ignore netlink state changes'),
'enable_files_domain': _('Enable or disable the implicit files domain'),
'domain_resolution_order': _('A specific order of the domains to be looked up'),
'monitor_resolv_conf': _('Controls if SSSD should monitor the state of resolv.conf to identify when it needs '
'to update its internal DNS resolver.'),
'try_inotify': _('SSSD monitors the state of resolv.conf to identify when it needs to update its internal DNS '
'resolver. By default, we will attempt to use inotify for this, and will fall back to '
'polling resolv.conf every five seconds if inotify cannot be used.'),
'implicit_pac_responder': _('Run PAC responder automatically for AD and IPA provider'),
'core_dumpable': _('Enable or disable core dumps for all SSSD processes.'),
'passkey_verification': _('Tune passkey verification behavior'),
# [nss]
'enum_cache_timeout': _('Enumeration cache timeout length (seconds)'),
'entry_cache_no_wait_timeout': _('Entry cache background update timeout length (seconds)'),
'entry_negative_timeout': _('Negative cache timeout length (seconds)'),
'local_negative_timeout': _('Files negative cache timeout length (seconds)'),
'filter_users': _('Users that SSSD should explicitly ignore'),
'filter_groups': _('Groups that SSSD should explicitly ignore'),
'filter_users_in_groups': _('Should filtered users appear in groups'),
'pwfield': _('The value of the password field the NSS provider should return'),
'override_homedir': _('Override homedir value from the identity provider with this value'),
'fallback_homedir': _('Substitute empty homedir value from the identity provider with this value'),
'override_shell': _('Override shell value from the identity provider with this value'),
'allowed_shells': _('The list of shells users are allowed to log in with'),
'vetoed_shells': _('The list of shells that will be vetoed, and replaced with the fallback shell'),
'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
'default_shell': _('Shell to use if the provider does not list one'),
'memcache_timeout': _('How long will be in-memory cache records valid'),
'memcache_size_passwd': _(
'Size (in megabytes) of the data table allocated inside fast in-memory cache for passwd requests'),
'memcache_size_group': _(
'Size (in megabytes) of the data table allocated inside fast in-memory cache for group requests'),
'memcache_size_initgroups': _(
'Size (in megabytes) of the data table allocated inside fast in-memory cache for initgroups requests'),
'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
'if the template contains the format string %H.'),
'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
'valid.'),
'entry_cache_nowait_percentage': _('The entry cache can be set to automatically update entries in the '
'background if they are requested beyond a percentage of the '
'entry_cache_timeout value for the domain.'),
# [pam]
'offline_credentials_expiration': _('How long to allow cached logins between online logins (days)'),
'offline_failed_login_attempts': _('How many failed logins attempts are allowed when offline'),
'offline_failed_login_delay': _(
'How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
'pam_verbosity': _('What kind of messages are displayed to the user during authentication'),
'pam_response_filter': _('Filter PAM responses sent to the pam_sss'),
'pam_id_timeout': _('How many seconds to keep identity information cached for PAM requests'),
'pam_pwd_expiration_warning': _('How many days before password expiration a warning should be displayed'),
'pam_trusted_users': _('List of trusted uids or user\'s name'),
'pam_public_domains': _('List of domains accessible even for untrusted users.'),
'pam_account_expired_message': _('Message printed when user account is expired.'),
'pam_account_locked_message': _('Message printed when user account is locked.'),
'pam_cert_auth': _('Allow certificate based/Smartcard authentication.'),
'pam_cert_db_path': _('Path to certificate database with PKCS#11 modules.'),
'pam_cert_verification': _('Tune certificate verification for PAM authentication.'),
'p11_child_timeout': _('How many seconds will pam_sss wait for p11_child to finish'),
'pam_app_services': _('Which PAM services are permitted to contact application domains'),
'pam_p11_allowed_services': _('Allowed services for using smartcards'),
'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
'pam_initgroups_scheme': _('When shall the PAM responder force an initgroups request'),
'pam_gssapi_services': _('List of PAM services that are allowed to authenticate with GSSAPI.'),
'pam_gssapi_check_upn': _('Whether to match authenticated UPN with target user'),
'pam_gssapi_indicators_map': _('List of pairs <PAM service>:<authentication indicator> that '
'must be enforced for PAM access with GSSAPI authentication'),
'pam_passkey_auth': _('Allow passkey device authentication.'),
'passkey_child_timeout': _('How many seconds will pam_sss wait for passkey_child to finish'),
'passkey_debug_libfido2': _('Enable debugging in the libfido2 library'),
# [sudo]
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
'sudo_inverse_order': _('If true, SSSD will switch back to lower-wins ordering logic'),
'sudo_threshold': _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh '
'is performed.'),
# [autofs]
'autofs_negative_timeout': _('Negative cache timeout length (seconds)'),
# [ssh]
'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'),
'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys '
'were requested'),
'ca_db': _('Path to storage of trusted CA certificates'),
'ssh_use_certificate_keys': _('Allow to generate ssh-keys from certificates'),
'ssh_use_certificate_matching_rules': _('Use the following matching rules to filter the certificates for '
'ssh-key generation'),
# [pac]
'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'),
'pac_lifetime': _('How long the PAC data is considered valid'),
'pac_check': _('Validate the PAC'),
# [ifp]
'user_attributes': _('List of user attributes the InfoPipe is allowed to publish'),
# [session_recording]
'scope': _('One of the following strings specifying the scope of session recording: none - No users are '
'recorded. some - Users/groups specified by users and groups options are recorded. all - All users '
'are recorded.'),
'users': _('A comma-separated list of users which should have session recording enabled. Matches user names '
'as returned by NSS. I.e. after the possible space replacement, case changes, etc.'),
'groups': _('A comma-separated list of groups, members of which should have session recording enabled. '
'Matches group names as returned by NSS. I.e. after the possible space replacement, case changes, '
'etc.'),
'exclude_users': _('A comma-separated list of users to be excluded from recording, only when scope=all'),
'exclude_groups': _('A comma-separated list of groups, members of which should be excluded from recording, '
' only when scope=all. '),
# [provider]
'id_provider': _('Identity provider'),
'auth_provider': _('Authentication provider'),
'access_provider': _('Access control provider'),
'chpass_provider': _('Password change provider'),
'sudo_provider': _('SUDO provider'),
'autofs_provider': _('Autofs provider'),
'hostid_provider': _('Host identity provider'),
'selinux_provider': _('SELinux provider'),
'session_provider': _('Session management provider'),
'resolver_provider': _('Resolver provider'),
# [domain]
'domain_type': _('Whether the domain is usable by the OS or by applications'),
'enabled': _('Enable or disable the domain'),
'min_id': _('Minimum user ID'),
'max_id': _('Maximum user ID'),
'enumerate': _('Enable enumerating all users/groups'),
'cache_credentials': _('Cache credentials for offline login'),
'use_fully_qualified_names': _('Display users/groups in fully-qualified form'),
'ignore_group_members': _('Don\'t include group members in group lookups'),
'entry_cache_timeout': _('Entry cache timeout length (seconds)'),
'lookup_family_order': _('Restrict or prefer a specific address family when performing DNS lookups'),
'account_cache_expiration': _('How long to keep cached entries after last successful login (days)'),
'dns_resolver_server_timeout': _('How long should SSSD talk to single DNS server before trying next server ('
'miliseconds)'),
'dns_resolver_op_timeout': _('How long should keep trying to resolve single DNS query (seconds)'),
'dns_resolver_timeout': _('How long to wait for replies from DNS when resolving servers (seconds)'),
'dns_discovery_domain': _('The domain part of service discovery DNS query'),
'override_gid': _('Override GID value from the identity provider with this value'),
'case_sensitive': _('Treat usernames as case sensitive'),
'entry_cache_user_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_group_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_netgroup_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_service_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_autofs_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_sudo_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_resolver_timeout': _('Entry cache timeout length (seconds)'),
'refresh_expired_interval': _('How often should expired entries be refreshed in background'),
'refresh_expired_interval_offset': _("Maximum period deviation when refreshing expired entries in background"),
'dyndns_update': _("Whether to automatically update the client's DNS entry"),
'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"),
'dyndns_refresh_interval_offset': _("Maximum period deviation when updating the client's DNS entry"),
'dyndns_update_ptr': _("Whether the provider should explicitly update the PTR record as well"),
'dyndns_force_tcp': _("Whether the nsupdate utility should default to using TCP"),
'dyndns_auth': _("What kind of authentication should be used to perform the DNS update"),
'dyndns_server': _("Override the DNS server used to perform the DNS update"),
'subdomain_enumerate': _('Control enumeration of trusted domains'),
'subdomain_refresh_interval': _('How often should subdomains list be refreshed'),
'subdomain_refresh_interval_offset': _('Maximum period deviation when refreshing the subdomain list'),
'subdomain_inherit': _('List of options that should be inherited into a subdomain'),
'subdomain_homedir': _('Default subdomain homedir value'),
'cached_auth_timeout': _('How long can cached credentials be used for cached authentication'),
'auto_private_groups': _('Whether to automatically create private groups for users'),
'pwd_expiration_warning': _('Display a warning N days before the password expires.'),
'realmd_tags': _('Various tags stored by the realmd configuration service for this domain.'),
'subdomains_provider': _('The provider which should handle fetching of subdomains. This value should be '
'always the same as id_provider.'),
'entry_cache_ssh_host_timeout': _('How many seconds to keep a host ssh key after refresh. IE how long to '
'cache the host key for.'),
'cache_credentials_minimal_first_factor_length': _('If 2-Factor-Authentication (2FA) is used and credentials '
'should be saved this value determines the minimal length '
'the first authentication factor (long term password) must '
'have to be saved as SHA512 hash into the cache.'),
'local_auth_policy': _('Local authentication methods policy '),
# [provider/ipa]
'ipa_domain': _('IPA domain'),
'ipa_server': _('IPA server address'),
'ipa_backup_server': _('Address of backup IPA server'),
'ipa_hostname': _('IPA client hostname'),
'ipa_dyndns_update': _("Whether to automatically update the client's DNS entry in FreeIPA"),
'ipa_dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
'ipa_dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
'ipa_hbac_search_base': _("Search base for HBAC related objects"),
'ipa_hbac_refresh': _("The amount of time between lookups of the HBAC rules against the IPA server"),
'ipa_selinux_refresh': _("The amount of time in seconds between lookups of the SELinux maps against the IPA "
"server"),
'ipa_hbac_support_srchost': _("If set to false, host argument given by PAM will be ignored"),
'ipa_automount_location': _("The automounter location this IPA client is using"),
'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"),
'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"),
'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"),
'ipa_views_search_base': _("Search base for view containers"),
'ipa_view_class': _("Objectclass for view containers"),
'ipa_view_name': _("Attribute with the name of the view"),
'ipa_override_object_class': _("Objectclass for override objects"),
'ipa_anchor_uuid': _("Attribute with the reference to the original object"),
'ipa_user_override_object_class': _("Objectclass for user override objects"),
'ipa_group_override_object_class': _("Objectclass for group override objects"),
'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"),
'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules "
"against the IPA server"),
'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles "
"rules against the IPA server when the last request did not find any "
"rule"),
'ipa_subid_ranges_search_base': _("Search base for SUBID ranges"),
'ipa_access_order': _("Which rules should be used to evaluate access control"),
'ipa_host_fqdn': _('The LDAP attribute that contains FQDN of the host.'),
'ipa_host_object_class': _('The object class of a host entry in LDAP.'),
'ipa_host_search_base': _('Use the given string as search base for host objects.'),
'ipa_host_ssh_public_key': _('The LDAP attribute that contains the host\'s SSH public keys.'),
'ipa_netgroup_domain': _('The LDAP attribute that contains NIS domain name of the netgroup.'),
'ipa_netgroup_member': _('The LDAP attribute that contains the names of the netgroup\'s members.'),
'ipa_netgroup_member_ext_host': _('The LDAP attribute that lists FQDNs of hosts and host groups that are '
'members of the netgroup.'),
'ipa_netgroup_member_host': _('The LDAP attribute that lists hosts and host groups that are direct members of '
'the netgroup.'),
'ipa_netgroup_member_of': _('The LDAP attribute that lists netgroup\'s memberships.'),
'ipa_netgroup_member_user': _('The LDAP attribute that lists system users and groups that are direct members '
'of the netgroup.'),
'ipa_netgroup_name': _('The LDAP attribute that corresponds to the netgroup name.'),
'ipa_netgroup_object_class': _('The object class of a netgroup entry in LDAP.'),
'ipa_netgroup_uuid': _('The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object.'),
'ipa_selinux_usermap_enabled': _('The LDAP attribute that contains whether or not is user map enabled for '
'usage.'),
'ipa_selinux_usermap_host_category': _('The LDAP attribute that contains host category such as \'all\'.'),
'ipa_selinux_usermap_member_host': _('The LDAP attribute that contains all hosts / hostgroups this rule match '
'against.'),
'ipa_selinux_usermap_member_user': _('The LDAP attribute that contains all users / groups this rule match '
'against.'),
'ipa_selinux_usermap_name': _('The LDAP attribute that contains the name of SELinux usermap.'),
'ipa_selinux_usermap_object_class': _('The object class of a host entry in LDAP.'),
'ipa_selinux_usermap_see_also': _('The LDAP attribute that contains DN of HBAC rule which can be used for '
'matching instead of memberUser and memberHost.'),
'ipa_selinux_usermap_selinux_user': _('The LDAP attribute that contains SELinux user string itself.'),
'ipa_selinux_usermap_user_category': _('The LDAP attribute that contains user category such as \'all\'.'),
'ipa_selinux_usermap_uuid': _('The LDAP attribute that contains unique ID of the user map.'),
'ipa_server_mode': _('The option denotes that the SSSD is running on IPA server and should perform lookups of '
'users and groups from trusted domains differently.'),
'ipa_subdomains_search_base': _('Use the given string as search base for trusted domains.'),
# [provider/ad]
'ad_domain': _('Active Directory domain'),
'ad_enabled_domains': _('Enabled Active Directory domains'),
'ad_server': _('Active Directory server address'),
'ad_backup_server': _('Active Directory backup server address'),
'ad_hostname': _('Active Directory client hostname'),
'ad_enable_dns_sites': _('Enable DNS sites - location based service discovery'),
'ad_access_filter': _('LDAP filter to determine access privileges'),
'ad_enable_gc': _('Whether to use the Global Catalog for lookups'),
'ad_gpo_access_control': _('Operation mode for GPO-based access control'),
'ad_gpo_cache_timeout': _("The amount of time between lookups of the GPO policy files against the AD server"),
'ad_gpo_map_interactive': _('PAM service names that map to the GPO (Deny)InteractiveLogonRight '
'policy settings'),
'ad_gpo_map_remote_interactive': _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight '
'policy settings'),
'ad_gpo_map_network': _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'),
'ad_gpo_map_batch': _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'),
'ad_gpo_map_service': _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'),
'ad_gpo_map_permit': _('PAM service names for which GPO-based access is always granted'),
'ad_gpo_map_deny': _('PAM service names for which GPO-based access is always denied'),
'ad_gpo_default_right': _('Default logon right (or permit/deny) to use for unmapped PAM service names'),
'ad_site': _('a particular site to be used by the client'),
'ad_maximum_machine_account_password_age': _('Maximum age in days before the machine account password should '
'be renewed'),
'ad_machine_account_password_renewal_opts': _('Option for tuning the machine account renewal task'),
'ad_update_samba_machine_account_password': _('Whether to update the machine account password in the Samba '
'database'),
'ad_use_ldaps': _('Use LDAPS port for LDAP and Global Catalog requests'),
'ad_allow_remote_domain_local_groups': _('Do not filter domain local groups from other domains'),
# [provider/krb5]
'krb5_kdcip': _('Kerberos server address'),
'krb5_server': _('Kerberos server address'),
'krb5_backup_server': _('Kerberos backup server address'),
'krb5_realm': _('Kerberos realm'),
'krb5_auth_timeout': _('Authentication timeout'),
'krb5_use_kdcinfo': _('Whether to create kdcinfo files'),
'krb5_confd_path': _('Where to drop krb5 config snippets'),
# [provider/krb5/auth]
'krb5_ccachedir': _('Directory to store credential caches'),
'krb5_ccname_template': _("Location of the user's credential cache"),
'krb5_keytab': _("Location of the keytab to validate credentials"),
'krb5_validate': _("Enable credential validation"),
'krb5_store_password_if_offline': _("Store password if offline for later online authentication"),
'krb5_renewable_lifetime': _("Renewable lifetime of the TGT"),
'krb5_lifetime': _("Lifetime of the TGT"),
'krb5_renew_interval': _("Time between two checks for renewal"),
'krb5_use_fast': _("Enables FAST"),
'krb5_fast_principal': _("Selects the principal to use for FAST"),
'krb5_fast_use_anonymous_pkinit': _("Use anonymous PKINIT to request FAST credentials"),
'krb5_canonicalize': _("Enables principal canonicalization"),
'krb5_use_enterprise_principal': _("Enables enterprise principals"),
'krb5_use_subdomain_realm': _("Enables using of subdomains realms for authentication"),
'krb5_map_user': _('A mapping from user names to Kerberos principal names'),
# [provider/krb5/chpass]
'krb5_kpasswd': _('Server where the change password service is running if not on the KDC'),
'krb5_backup_kpasswd': _('Server where the change password service is running if not on the KDC'),
# [provider/ldap]
'ldap_uri': _('ldap_uri, The URI of the LDAP server'),
'ldap_backup_uri': _('ldap_backup_uri, The URI of the LDAP server'),
'ldap_search_base': _('The default base DN'),
'ldap_schema': _('The Schema Type in use on the LDAP server, rfc2307'),
'ldap_pwmodify_mode': _('Mode used to change user password'),
'ldap_default_bind_dn': _('The default bind DN'),
'ldap_default_authtok_type': _('The type of the authentication token of the default bind DN'),
'ldap_default_authtok': _('The authentication token of the default bind DN'),
'ldap_network_timeout': _('Length of time to attempt connection'),
'ldap_opt_timeout': _('Length of time to attempt synchronous LDAP operations'),
'ldap_offline_timeout': _('Length of time between attempts to reconnect while offline'),
'ldap_force_upper_case_realm': _('Use only the upper case for realm names'),
'ldap_tls_cacert': _('File that contains CA certificates'),
'ldap_tls_cacertdir': _('Path to CA certificate directory'),
'ldap_tls_cert': _('File that contains the client certificate'),
'ldap_tls_key': _('File that contains the client key'),
'ldap_tls_cipher_suite': _('List of possible ciphers suites'),
'ldap_tls_reqcert': _('Require TLS certificate verification'),
'ldap_sasl_mech': _('Specify the sasl mechanism to use'),
'ldap_sasl_authid': _('Specify the sasl authorization id to use'),
'ldap_sasl_realm': _('Specify the sasl authorization realm to use'),
'ldap_sasl_minssf': _('Specify the minimal SSF for LDAP sasl authorization'),
'ldap_sasl_maxssf': _('Specify the maximal SSF for LDAP sasl authorization'),
'ldap_krb5_keytab': _('Kerberos service keytab'),
'ldap_krb5_init_creds': _('Use Kerberos auth for LDAP connection'),
'ldap_referrals': _('Follow LDAP referrals'),
'ldap_krb5_ticket_lifetime': _('Lifetime of TGT for LDAP connection'),
'ldap_deref': _('How to dereference aliases'),
'ldap_dns_service_name': _('Service name for DNS service lookups'),
'ldap_page_size': _('The number of records to retrieve in a single LDAP query'),
'ldap_deref_threshold': _('The number of members that must be missing to trigger a full deref'),
'ldap_ignore_unreadable_references': _('Ignore unreadable LDAP references'),
'ldap_sasl_canonicalize': _('Whether the LDAP library should perform a reverse lookup to canonicalize the '
'host name during a SASL bind'),
'ldap_rfc2307_fallback_to_local_users': _('Allows to retain local users as members of an LDAP group for '
'servers that use the RFC2307 schema.'),
'ldap_entry_usn': _('entryUSN attribute'),
'ldap_rootdse_last_usn': _('lastUSN attribute'),
'ldap_connection_expiration_timeout': _('How long to retain a connection to the LDAP server before '
'disconnecting'),
'ldap_disable_paging': _('Disable the LDAP paging control'),
'ldap_disable_range_retrieval': _('Disable Active Directory range retrieval'),
# [provider/ldap/id]
'ldap_search_timeout': _('Length of time to wait for a search request'),
'ldap_enumeration_search_timeout': _('Length of time to wait for a enumeration request'),
'ldap_enumeration_refresh_timeout': _('Length of time between enumeration updates'),
'ldap_enumeration_refresh_offset': _('Maximum period deviation between enumeration updates'),
'ldap_purge_cache_timeout': _('Length of time between cache cleanups'),
'ldap_purge_cache_offset': _('Maximum time deviation between cache cleanups'),
'ldap_id_use_start_tls': _('Require TLS for ID lookups'),
'ldap_id_mapping': _('Use ID-mapping of objectSID instead of pre-set IDs'),
'ldap_user_search_base': _('Base DN for user lookups'),
'ldap_user_search_scope': _('Scope of user lookups'),
'ldap_user_search_filter': _('Filter for user lookups'),
'ldap_user_object_class': _('Objectclass for users'),
'ldap_user_name': _('Username attribute'),
'ldap_user_uid_number': _('UID attribute'),
'ldap_user_gid_number': _('Primary GID attribute'),
'ldap_user_gecos': _('GECOS attribute'),
'ldap_user_home_directory': _('Home directory attribute'),
'ldap_user_shell': _('Shell attribute'),
'ldap_user_uuid': _('UUID attribute'),
'ldap_user_objectsid': _("objectSID attribute"),
'ldap_user_primary_group': _('Active Directory primary group attribute for ID-mapping'),
'ldap_user_principal': _('User principal attribute (for Kerberos)'),
'ldap_user_fullname': _('Full Name'),
'ldap_user_member_of': _('memberOf attribute'),
'ldap_user_modify_timestamp': _('Modification time attribute'),
'ldap_user_shadow_last_change': _('shadowLastChange attribute'),
'ldap_user_shadow_min': _('shadowMin attribute'),
'ldap_user_shadow_max': _('shadowMax attribute'),
'ldap_user_shadow_warning': _('shadowWarning attribute'),
'ldap_user_shadow_inactive': _('shadowInactive attribute'),
'ldap_user_shadow_expire': _('shadowExpire attribute'),
'ldap_user_shadow_flag': _('shadowFlag attribute'),
'ldap_user_authorized_service': _('Attribute listing authorized PAM services'),
'ldap_user_authorized_host': _('Attribute listing authorized server hosts'),
'ldap_user_authorized_rhost': _('Attribute listing authorized server rhosts'),
'ldap_user_krb_last_pwd_change': _('krbLastPwdChange attribute'),
'ldap_user_krb_password_expiration': _('krbPasswordExpiration attribute'),
'ldap_pwd_attribute': _('Attribute indicating that server side password policies are active'),
'ldap_user_ad_account_expires': _('accountExpires attribute of AD'),
'ldap_user_ad_user_account_control': _('userAccountControl attribute of AD'),
'ldap_ns_account_lock': _('nsAccountLock attribute'),
'ldap_user_nds_login_disabled': _('loginDisabled attribute of NDS'),
'ldap_user_nds_login_expiration_time': _('loginExpirationTime attribute of NDS'),
'ldap_user_nds_login_allowed_time_map': _('loginAllowedTimeMap attribute of NDS'),
'ldap_user_ssh_public_key': _('SSH public key attribute'),
'ldap_user_auth_type': _('attribute listing allowed authentication types for a user'),
'ldap_user_certificate': _('attribute containing the X509 certificate of the user'),
'ldap_user_email': _('attribute containing the email address of the user'),
'ldap_user_passkey': _('attribute containing the passkey mapping data of the user'),
'ldap_user_extra_attrs': _('A list of extra attributes to download along with the user entry'),
'ldap_group_search_base': _('Base DN for group lookups'),
'ldap_group_object_class': _('Objectclass for groups'),
'ldap_group_name': _('Group name'),
'ldap_group_pwd': _('Group password'),
'ldap_group_gid_number': _('GID attribute'),
'ldap_group_member': _('Group member attribute'),
'ldap_group_uuid': _('Group UUID attribute'),
'ldap_group_objectsid': _("objectSID attribute"),
'ldap_group_modify_timestamp': _('Modification time attribute for groups'),
'ldap_group_type': _('Type of the group and other flags'),
'ldap_group_external_member': _('The LDAP group external member attribute'),
'ldap_group_nesting_level': _('Maximum nesting level SSSD will follow'),
'ldap_group_search_filter': _('Filter for group lookups'),
'ldap_group_search_scope': _('Scope of group lookups'),
'ldap_netgroup_search_base': _('Base DN for netgroup lookups'),
'ldap_netgroup_object_class': _('Objectclass for netgroups'),
'ldap_netgroup_name': _('Netgroup name'),
'ldap_netgroup_member': _('Netgroups members attribute'),
'ldap_netgroup_triple': _('Netgroup triple attribute'),
'ldap_netgroup_modify_timestamp': _('Modification time attribute for netgroups'),
'ldap_service_search_base': _('Base DN for service lookups'),
'ldap_service_object_class': _('Objectclass for services'),
'ldap_service_name': _('Service name attribute'),
'ldap_service_port': _('Service port attribute'),
'ldap_service_proto': _('Service protocol attribute'),
'ldap_idmap_range_min': _('Lower bound for ID-mapping'),
'ldap_idmap_range_max': _('Upper bound for ID-mapping'),
'ldap_idmap_range_size': _('Number of IDs for each slice when ID-mapping'),
'ldap_idmap_autorid_compat': _('Use autorid-compatible algorithm for ID-mapping'),
'ldap_idmap_default_domain': _('Name of the default domain for ID-mapping'),
'ldap_idmap_default_domain_sid': _('SID of the default domain for ID-mapping'),
'ldap_idmap_helper_table_size': _('Number of secondary slices'),
'ldap_use_tokengroups': _('Whether to use Token-Groups'),
'ldap_min_id': _('Set lower boundary for allowed IDs from the LDAP server'),
'ldap_max_id': _('Set upper boundary for allowed IDs from the LDAP server'),
'ldap_pwdlockout_dn': _('DN for ppolicy queries'),
'wildcard_limit': _('How many maximum entries to fetch during a wildcard request'),
'ldap_library_debug_level': _('Set libldap debug level'),
# [provider/ldap/auth]
'ldap_pwd_policy': _('Policy to evaluate the password expiration'),
# [provider/ldap/access]
'ldap_access_filter': _('LDAP filter to determine access privileges'),
'ldap_account_expire_policy': _('Which attributes shall be used to evaluate if an account is expired'),
'ldap_access_order': _('Which rules should be used to evaluate access control'),
# [provider/ldap/chpass]
'ldap_chpass_uri': _('URI of an LDAP server where password changes are allowed'),
'ldap_chpass_backup_uri': _('URI of a backup LDAP server where password changes are allowed'),
'ldap_chpass_dns_service_name': _('DNS service name for LDAP password change server'),
'ldap_chpass_update_last_change': _('Whether to update the ldap_user_shadow_last_change attribute after a '
'password change'),
# [provider/ldap/sudo]
'ldap_sudo_search_base': _('Base DN for sudo rules lookups'),
'ldap_sudo_full_refresh_interval': _('Automatic full refresh period'),
'ldap_sudo_smart_refresh_interval': _('Automatic smart refresh period'),
'ldap_sudo_random_offset': _('Smart and full refresh random offset'),
'ldap_sudo_use_host_filter': _('Whether to filter rules by hostname, IP addresses and network'),
'ldap_sudo_hostnames': _('Hostnames and/or fully qualified domain names of this machine to filter sudo rules'),
'ldap_sudo_ip': _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'),
'ldap_sudo_include_netgroups': _('Whether to include rules that contains netgroup in host attribute'),
'ldap_sudo_include_regexp': _('Whether to include rules that contains regular expression in host attribute'),
'ldap_sudorule_object_class': _('Object class for sudo rules'),
'ldap_sudorule_object_class_attr': _('Name of attribute that is used as object class for sudo rules'),
'ldap_sudorule_name': _('Sudo rule name'),
'ldap_sudorule_command': _('Sudo rule command attribute'),
'ldap_sudorule_host': _('Sudo rule host attribute'),
'ldap_sudorule_user': _('Sudo rule user attribute'),
'ldap_sudorule_option': _('Sudo rule option attribute'),
'ldap_sudorule_runas': _('Sudo rule runas attribute'),
'ldap_sudorule_runasuser': _('Sudo rule runasuser attribute'),
'ldap_sudorule_runasgroup': _('Sudo rule runasgroup attribute'),
'ldap_sudorule_notbefore': _('Sudo rule notbefore attribute'),
'ldap_sudorule_notafter': _('Sudo rule notafter attribute'),
'ldap_sudorule_order': _('Sudo rule order attribute'),
# [provider/ldap/autofs]
'ldap_autofs_map_object_class': _('Object class for automounter maps'),
'ldap_autofs_map_name': _('Automounter map name attribute'),
'ldap_autofs_entry_object_class': _('Object class for automounter map entries'),
'ldap_autofs_entry_key': _('Automounter map entry key attribute'),
'ldap_autofs_entry_value': _('Automounter map entry value attribute'),
'ldap_autofs_search_base': _('Base DN for automounter map lookups'),
'ldap_autofs_map_master_name': _('The name of the automount master map in LDAP.'),
# [provider/ldap/resolver]
'ldap_iphost_search_base': _('Base DN for IP hosts lookups'),
'ldap_iphost_object_class': _('Object class for IP hosts'),
'ldap_iphost_name': _('IP host name attribute'),
'ldap_iphost_number': _('IP host number (address) attribute'),
'ldap_iphost_entry_usn': _('IP host entryUSN attribute'),
'ldap_ipnetwork_search_base': _('Base DN for IP networks lookups'),
'ldap_ipnetwork_object_class': _('Object class for IP networks'),
'ldap_ipnetwork_name': _('IP network name attribute'),
'ldap_ipnetwork_number': _('IP network number (address) attribute'),
'ldap_ipnetwork_entry_usn': _('IP network entryUSN attribute'),
# [provider/simple/access]
'simple_allow_users': _('Comma separated list of allowed users'),
'simple_deny_users': _('Comma separated list of prohibited users'),
'simple_allow_groups': _('Comma separated list of groups that are allowed to log in. This applies only to '
'groups within this SSSD domain. Local groups are not evaluated.'),
'simple_deny_groups': _('Comma separated list of groups that are explicitly denied access. This applies only '
'to groups within this SSSD domain. Local groups are not evaluated.'),
# [provider/proxy]
'proxy_max_children': _('The number of preforked proxy children.'),
# [provider/proxy/id]
'proxy_lib_name': _('The name of the NSS library to use'),
'proxy_resolver_lib_name': _('The name of the NSS library to use for hosts and networks lookups'),
'proxy_fast_alias': _('Whether to look up canonical group name from cache if possible'),
# [provider/proxy/auth]
'proxy_pam_target': _('PAM stack to use'),
# [provider/files]
'passwd_files': _('Path of passwd file sources.'),
'group_files': _('Path of group file sources.')
}
Zerion Mini Shell 1.0