PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB`  :>hc@s`dZddlZddlZddlZddlZddlmZdefdYZdefdYZ d efd YZ d efd YZ d efdYZ defdYZ defdYZdefdYZdefdYZdefdYZdefdYZdefdYZdefdYZdefd YZd!efd"YZd#efd$YZd%Zd&Zejeed'eZejd(d)krejZn ejZited*d+6ed*d,6ed-d.6ed/d06ed1d26ed3d46ed5d66ed7d86ed9d:6ed;d<6ed=d>6ed?d@6edAdB6edCdD6edEdF6edGdH6edIdJ6edKdL6edMdN6edOdP6edQdR6edSdT6edUdV6edWdX6edYdZ6ed[d\6ed]d^6ed_d`6edadb6edcdd6ededf6edgdh6edidj6edkdl6edmdn6edodp6edqdr6edsdt6edudv6edwdx6edydz6ed{d|6ed}d~6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6ed_d6edd6edd6edd6edd6edd6edd6edd|6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd 6edd 6edd 6edd 6edd 6edd6edd6edd6edd6edd6edd6edd6edd6edd6ed d!6ed"d#6ed$d%6ed&d'6ed(d)6edIdJ6edGdH6ed*d+6ed,d-6ed.d/6ed0d16ed2d36ed4d56edd66edd76ed8d96ed:d;6ed<d=6ed>d?6ed@dA6edBdC6edDdE6edFdG6edHdI6edJdK6edLdM6edNdO6edPdQ6edRdS6edTdU6edVdW6edXdY6edZd[6ed\d]6ed^d_6ed`da6edbdc6eddde6edFdf6edgdh6edidj6edkdl6edmdn6edodp6edqdr6edsdt6edudv6edwdx6edydz6ed{d|6ed}d~6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6ed d 6ed d 6ed d6edd6edd6edd6edd6edd6edd6edd6edd6edd 6ed!d"6ed#d$6ed%d&6ed'd(6ed)d*6ed+d,6ed-d.6ed/d06ed1d26ed3d46ed5d66ed7d86ed9d:6ed;d<6ed=d>6ed?d@6edAdB6edCdD6edEdF6edGdH6edIdJ6edKdL6edMdN6edOdP6edQdR6edSdT6edUdV6edWdX6edYdZ6ed[d\6ed]d^6ed_d`6edadb6edcdd6ededf6edgdh6eddi6edjdk6edldm6edndo6edpdq6edrds6edtdu6edvdw6edxdy6edzd{6ed|d}6ed~d6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edgd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6edd6eddx6edd6edd6edd6edd6edd6edd6edd6ZdZ dZ!defdYZ"de#fdYZ$de$fdYZ%de$fdYZ&defdYZ'dS(s, Created on Sep 18, 2009 @author: sgallagh iNi(tSSSDChangeConftSSSDConfigExceptioncBseZRS((t__name__t __module__(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRst ParsingErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstAlreadyInitializedErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstNotInitializedErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstNoOutputFileErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstNoServiceErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstNoSectionErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR st NoOptionErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR stServiceNotRecognizedErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR stServiceAlreadyExistscBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR st NoDomainErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR stDomainNotRecognizedcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstDomainAlreadyExistsErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstNoSuchProviderErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstNoSuchProviderSubtypeErrorcBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRstProviderSubtypeInUsecBseZRS((RR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRst sss_daemons/usr/share/localetfallbackiis&Set the verbosity of the debug loggingtdebugt debug_levels Include timestamps in debug logstdebug_timestampss0Include microseconds in timestamps in debug logstdebug_microsecondss Write debug messages to logfilestdebug_to_filess*Watchdog timeout before restarting servicettimeoutsCommand to start servicetcommands7Number of times to attempt connection to Data Providerstreconnection_retriessCThe number of file descriptors that may be opened by this respondertfd_limits4Idle time before automatic disconnection of a clienttclient_idle_timeouts4Idle time before automatic shutdown of the respondertresponder_idle_timeouts>Always query all the caches before querying the Data Providerst cache_firstsSSSD Services to starttservicessSSSD Domains to starttdomainss'Timeout for messages sent over the SBUSt sbus_timeouts"Regex to parse username and domaint re_expressions=Printf-compatible format for displaying fully-qualified namestfull_name_formatsPDirectory on the filesystem where SSSD should store Kerberos replay cache files.tkrb5_rcache_dirs2Domain to add to names without a domain component.tdefault_domain_suffixsThe user to drop privileges totusersTune certificate verificationtcertificate_verificationsFAll spaces in group or user names will be replaced with this charactertoverride_spaces2Tune sssd to honor or ignore netlink state changestdisable_netlinks+Enable or disable the implicit files domaintenable_files_domains/A specific order of the domains to be looked uptdomain_resolution_orders*Enumeration cache timeout length (seconds)tenum_cache_timeouts6Entry cache background update timeout length (seconds)tentry_cache_no_wait_timeouts'Negative cache timeout length (seconds)tentry_negative_timeouts-Files negative cache timeout length (seconds)tlocal_negative_timeouts(Users that SSSD should explicitly ignoret filter_userss)Groups that SSSD should explicitly ignoret filter_groupss&Should filtered users appear in groupstfilter_users_in_groupss>The value of the password field the NSS provider should returntpwfieldsAOverride homedir value from the identity provider with this valuetoverride_homedirsISubstitute empty homedir value from the identity provider with this valuetfallback_homedirs?Override shell value from the identity provider with this valuetoverride_shells3The list of shells users are allowed to log in withtallowed_shellssLThe list of shells that will be vetoed, and replaced with the fallback shellt vetoed_shellssVIf a shell stored in central directory is allowed but not available, use this fallbacktshell_fallbacks.Shell to use if the provider does not list onet default_shells.How long will be in-memory cache records validtmemcache_timeouts?List of user attributes the NSS responder is allowed to publishtuser_attributess<How long to allow cached logins between online logins (days)toffline_credentials_expirations8How many failed logins attempts are allowed when offlinetoffline_failed_login_attemptssUHow long (minutes) to deny login after offline_failed_login_attempts has been reachedtoffline_failed_login_delaysEWhat kind of messages are displayed to the user during authenticationt pam_verbositys(Filter PAM responses sent to the pam_ssstpam_response_filtersEHow many seconds to keep identity information cached for PAM requeststpam_id_timeoutsFHow many days before password expiration a warning should be displayedtpam_pwd_expiration_warnings#List of trusted uids or user's nametpam_trusted_userss4List of domains accessible even for untrusted users.tpam_public_domainss-Message printed when user account is expired.tpam_account_expired_messages,Message printed when user account is locked.tpam_account_locked_messages1Allow certificate based/Smartcard authentication.t pam_cert_auths2Path to certificate database with PKCS#11 modules.tpam_cert_db_paths:How many seconds will pam_sss wait for p11_child to finishtp11_child_timeouts?Which PAM services are permitted to contact application domainstpam_app_servicess%Allowed services for using smartcardstpam_p11_allowed_servicess;Whether to evaluate the time-based attributes in sudo rulest sudo_timeds;If true, SSSD will switch back to lower-wins ordering logictsudo_inverse_ordersfMaximum number of rules that can be refreshed at once. If this is exceeded, full refresh is performed.tsudo_thresholdtautofs_negative_timeouts@Whether to hash host names and addresses in the known_hosts filetssh_hash_known_hostssZHow many seconds to keep a host in the known_hosts file after its host keys were requestedtssh_known_hosts_timeouts*Path to storage of trusted CA certificatestca_dbs>List of UIDs or user names allowed to access the PAC respondert allowed_uidss)How long the PAC data is considered validt pac_lifetimesCList of UIDs or user names allowed to access the InfoPipe responders:List of user attributes the InfoPipe is allowed to publishs0The provider where the secrets will be stored intproviders/The maximum allowed number of nested containerstcontainers_nest_levels0The maximum number of secrets that can be storedt max_secretss8The maximum number of secrets that can be stored per UIDtmax_uid_secretss1The maximum payload size of a secret in kilobytestmax_payload_sizes'The URL Custodia server is listening ont proxy_urls:The method to use when authenticating to a Custodia servert auth_typesjThe name of the headers that will be added into a HTTP request with the value defined in auth_header_valuetauth_header_names5The value sssd-secrets would use for auth_header_nametauth_header_valuesSThe list of the headers to forward to the Custodia server together with the requesttforward_headerssMThe username to use when authenticating to a Custodia server using basic_authtusernamesMThe password to use when authenticating to a Custodia server using basic_authtpasswordsGIf true peer's certificate is verified if proxy_url uses https protocolt verify_peerseIf false peer's certificate may contain different hostname than proxy_url when https protocol is usedt verify_hostsEPath to directory where certificate authority certificates are storedtcapaths/Path to file containing server's CA certificatetcacerts,Path to file containing client's certificatetcerts,Path to file containing client's private keytkeysIdentity providert id_providersAuthentication providert auth_providersAccess control providertaccess_providersPassword change providertchpass_providers SUDO providert sudo_providersAutofs providertautofs_providersHost identity providerthostid_providersSELinux providertselinux_providersSession management providertsession_providers9Whether the domain is usable by the OS or by applicationst domain_typesMinimum user IDtmin_idsMaximum user IDtmax_ids#Enable enumerating all users/groupst enumerates#Cache credentials for offline logintcache_credentialssStore password hasheststore_legacy_passwordss,Display users/groups in fully-qualified formtuse_fully_qualified_namess,Don't include group members in group lookupstignore_group_memberss$Entry cache timeout length (seconds)tentry_cache_timeoutsHRestrict or prefer a specific address family when performing DNS lookupstlookup_family_ordersBHow long to keep cached entries after last successful login (days)taccount_cache_expirationsVHow long should SSSD talk to single DNS server before trying next server (miliseconds)tdns_resolver_server_timeoutsAHow long should keep trying to resolve single DNS query (seconds)tdns_resolver_op_timeoutsFHow long to wait for replies from DNS when resolving servers (seconds)tdns_resolver_timeouts.The domain part of service discovery DNS querytdns_discovery_domains=Override GID value from the identity provider with this valuet override_gids!Treat usernames as case sensitivetcase_sensitivetentry_cache_user_timeouttentry_cache_group_timeouttentry_cache_netgroup_timeouttentry_cache_service_timeouttentry_cache_autofs_timeouttentry_cache_sudo_timeouts;How often should expired entries be refreshed in backgroundtrefresh_expired_intervals6Whether to automatically update the client's DNS entryt dyndns_updates<The TTL to apply to the client's DNS entry after updating itt dyndns_ttls=The interface whose IP should be used for dynamic DNS updatest dyndns_ifaces7How often to periodically update the client's DNS entrytdyndns_refresh_intervalsDWhether the provider should explicitly update the PTR record as welltdyndns_update_ptrs8Whether the nsupdate utility should default to using TCPtdyndns_force_tcpsDWhat kind of authentication should be used to perform the DNS updatet dyndns_auths6Override the DNS server used to perform the DNS updatet dyndns_servers&Control enumeration of trusted domainstsubdomain_enumerates-How often should subdomains list be refreshedtsubdomain_refresh_intervals9List of options that should be inherited into a subdomaintsubdomain_inheritsDefault subdomain homedir valuetsubdomain_homedirsAHow long can cached credentials be used for cached authenticationtcached_auth_timeouts8Whether to automatically create private groups for userstauto_private_groupss IPA domaint ipa_domainsIPA server addresst ipa_serversAddress of backup IPA servertipa_backup_serversIPA client hostnamet ipa_hostnamesAWhether to automatically update the client's DNS entry in FreeIPAtipa_dyndns_updatetipa_dyndns_ttltipa_dyndns_ifaces$Search base for HBAC related objectstipa_hbac_search_basesKThe amount of time between lookups of the HBAC rules against the IPA servertipa_hbac_refreshsXThe amount of time in seconds between lookups of the SELinux maps against the IPA servertipa_selinux_refreshs;If set to false, host argument given by PAM will be ignoredtipa_hbac_support_srchosts1The automounter location this IPA client is usingtipa_automount_locations7Search base for object containing info about IPA domaintipa_master_domain_search_bases7Search base for objects containing info about ID rangestipa_ranges_search_bases3Enable DNS sites - location based service discoverytipa_enable_dns_sitessSearch base for view containerstipa_views_search_basesObjectclass for view containerstipa_view_classs#Attribute with the name of the viewt ipa_view_names Objectclass for override objectstipa_override_object_classs3Attribute with the reference to the original objecttipa_anchor_uuids%Objectclass for user override objectstipa_user_override_object_classs&Objectclass for group override objectstipa_group_override_object_classs/Search base for Desktop Profile related objectstipa_deskprofile_search_basesaThe amount of time in seconds between lookups of the Desktop Profile rules against the IPA servertipa_deskprofile_refreshsThe amount of time in minutes between lookups of Desktop Profiles rules against the IPA server when the last request did not find any rulet ipa_deskprofile_request_intervalsActive Directory domaint ad_domains Enabled Active Directory domainstad_enabled_domainssActive Directory server addresst ad_servers&Active Directory backup server addresstad_backup_servers Active Directory client hostnamet ad_hostnametad_enable_dns_sitess*LDAP filter to determine access privilegestad_access_filters-Whether to use the Global Catalog for lookupst ad_enable_gcs+Operation mode for GPO-based access controltad_gpo_access_controlsPThe amount of time between lookups of the GPO policy files against the AD servertad_gpo_cache_timeoutsQPAM service names that map to the GPO (Deny)InteractiveLogonRight policy settingstad_gpo_map_interactivesWPAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight policy settingstad_gpo_map_remote_interactivesMPAM service names that map to the GPO (Deny)NetworkLogonRight policy settingstad_gpo_map_networksKPAM service names that map to the GPO (Deny)BatchLogonRight policy settingstad_gpo_map_batchsMPAM service names that map to the GPO (Deny)ServiceLogonRight policy settingstad_gpo_map_services>PAM service names for which GPO-based access is always grantedtad_gpo_map_permits=PAM service names for which GPO-based access is always deniedtad_gpo_map_denysJDefault logon right (or permit/deny) to use for unmapped PAM service namestad_gpo_default_rights*a particular site to be used by the clienttad_sitesIMaximum age in days before the machine account password should be renewedt'ad_maximum_machine_account_password_ages2Option for tuning the machine account renewal taskt(ad_machine_account_password_renewal_optss3Use LDAPS port for LDAP and Global Catalog requestst ad_use_ldapss4Do not filter domain local groups from other domainst#ad_allow_remote_domain_local_groupssKerberos server addresst krb5_kdcipt krb5_serversKerberos backup server addresstkrb5_backup_serversKerberos realmt krb5_realmsAuthentication timeouttkrb5_auth_timeoutsWhether to create kdcinfo filestkrb5_use_kdcinfos"Where to drop krb5 config snippetstkrb5_confd_paths$Directory to store credential cachestkrb5_ccachedirs'Location of the user's credential cachetkrb5_ccname_templates.Location of the keytab to validate credentialst krb5_keytabsEnable credential validationt krb5_validates9Store password if offline for later online authenticationtkrb5_store_password_if_offlinesRenewable lifetime of the TGTtkrb5_renewable_lifetimesLifetime of the TGTt krb5_lifetimes#Time between two checks for renewaltkrb5_renew_intervals Enables FASTt krb5_use_fasts%Selects the principal to use for FASTtkrb5_fast_principals"Enables principal canonicalizationtkrb5_canonicalizesEnables enterprise principalstkrb5_use_enterprise_principals5A mapping from user names to Kerberos principal namest krb5_map_usersEServer where the change password service is running if not on the KDCt krb5_kpasswdtkrb5_backup_kpasswds$ldap_uri, The URI of the LDAP servertldap_uris+ldap_backup_uri, The URI of the LDAP servertldap_backup_urisThe default base DNtldap_search_bases2The Schema Type in use on the LDAP server, rfc2307t ldap_schemas!Mode used to change user passwordtldap_pwmodify_modesThe default bind DNtldap_default_bind_dns;The type of the authentication token of the default bind DNtldap_default_authtok_types/The authentication token of the default bind DNtldap_default_authtoks$Length of time to attempt connectiontldap_network_timeouts5Length of time to attempt synchronous LDAP operationstldap_opt_timeouts:Length of time between attempts to reconnect while offlinetldap_offline_timeouts'Use only the upper case for realm namestldap_force_upper_case_realms"File that contains CA certificatestldap_tls_cacerts Path to CA certificate directorytldap_tls_cacertdirs)File that contains the client certificatet ldap_tls_certs!File that contains the client keyt ldap_tls_keysList of possible ciphers suitestldap_tls_cipher_suites$Require TLS certificate verificationtldap_tls_reqcerts!Specify the sasl mechanism to usetldap_sasl_mechs(Specify the sasl authorization id to usetldap_sasl_authids+Specify the sasl authorization realm to usetldap_sasl_realms3Specify the minimal SSF for LDAP sasl authorizationtldap_sasl_minssfs3Specify the maximal SSF for LDAP sasl authorizationtldap_sasl_maxssfsKerberos service keytabtldap_krb5_keytabs%Use Kerberos auth for LDAP connectiontldap_krb5_init_credssFollow LDAP referralstldap_referralss#Lifetime of TGT for LDAP connectiontldap_krb5_ticket_lifetimesHow to dereference aliasest ldap_derefs$Service name for DNS service lookupstldap_dns_service_names8The number of records to retrieve in a single LDAP querytldap_page_sizesBThe number of members that must be missing to trigger a full dereftldap_deref_thresholdsiWhether the LDAP library should perform a reverse lookup to canonicalize the host name during a SASL bindtldap_sasl_canonicalizesentryUSN attributetldap_entry_usnslastUSN attributetldap_rootdse_last_usnsGHow long to retain a connection to the LDAP server before disconnectingt"ldap_connection_expiration_timeoutsDisable the LDAP paging controltldap_disable_pagings(Disable Active Directory range retrievaltldap_disable_range_retrievals+Length of time to wait for a search requesttldap_search_timeouts0Length of time to wait for a enumeration requesttldap_enumeration_search_timeouts*Length of time between enumeration updatest ldap_enumeration_refresh_timeouts%Length of time between cache cleanupstldap_purge_cache_timeoutsRequire TLS for ID lookupstldap_id_use_start_tlss2Use ID-mapping of objectSID instead of pre-set IDstldap_id_mappingsBase DN for user lookupstldap_user_search_basesScope of user lookupstldap_user_search_scopesFilter for user lookupstldap_user_search_filtersObjectclass for userstldap_user_object_classsUsername attributetldap_user_names UID attributetldap_user_uid_numbersPrimary GID attributetldap_user_gid_numbersGECOS attributetldap_user_gecossHome directory attributetldap_user_home_directorysShell attributetldap_user_shellsUUID attributetldap_user_uuidsobjectSID attributetldap_user_objectsids7Active Directory primary group attribute for ID-mappingtldap_user_primary_groups'User principal attribute (for Kerberos)tldap_user_principals Full Nametldap_user_fullnamesmemberOf attributetldap_user_member_ofsModification time attributetldap_user_modify_timestampsshadowLastChange attributetldap_user_shadow_last_changesshadowMin attributetldap_user_shadow_minsshadowMax attributetldap_user_shadow_maxsshadowWarning attributetldap_user_shadow_warningsshadowInactive attributetldap_user_shadow_inactivesshadowExpire attributetldap_user_shadow_expiresshadowFlag attributetldap_user_shadow_flags)Attribute listing authorized PAM servicestldap_user_authorized_services)Attribute listing authorized server hoststldap_user_authorized_hosts*Attribute listing authorized server rhoststldap_user_authorized_rhostskrbLastPwdChange attributetldap_user_krb_last_pwd_changeskrbPasswordExpiration attributet!ldap_user_krb_password_expirationsBAttribute indicating that server side password policies are activetldap_pwd_attributesaccountExpires attribute of ADtldap_user_ad_account_expiress"userAccountControl attribute of ADt!ldap_user_ad_user_account_controlsnsAccountLock attributetldap_ns_account_locksloginDisabled attribute of NDStldap_user_nds_login_disableds$loginExpirationTime attribute of NDSt#ldap_user_nds_login_expiration_times$loginAllowedTimeMap attribute of NDSt$ldap_user_nds_login_allowed_time_mapsSSH public key attributetldap_user_ssh_public_keys9attribute listing allowed authentication types for a usertldap_user_auth_types5attribute containing the X509 certificate of the usertldap_user_certificates2attribute containing the email address of the usertldap_user_emails@A list of extra attributes to download along with the user entrytldap_user_extra_attrssBase DN for group lookupstldap_group_search_basesObjectclass for groupstldap_group_object_classs Group nametldap_group_namesGroup passwordtldap_group_pwds GID attributetldap_group_gid_numbersGroup member attributetldap_group_membersGroup UUID attributetldap_group_uuidtldap_group_objectsids&Modification time attribute for groupstldap_group_modify_timestamps!Type of the group and other flagstldap_group_types(The LDAP group external member attributetldap_group_external_members&Maximum nesting level SSSD will followtldap_group_nesting_levelsBase DN for netgroup lookupstldap_netgroup_search_basesObjectclass for netgroupstldap_netgroup_object_classs Netgroup nametldap_netgroup_namesNetgroups members attributetldap_netgroup_membersNetgroup triple attributetldap_netgroup_triples)Modification time attribute for netgroupstldap_netgroup_modify_timestampsBase DN for service lookupstldap_service_search_basesObjectclass for servicestldap_service_object_classsService name attributetldap_service_namesService port attributetldap_service_portsService protocol attributetldap_service_protosLower bound for ID-mappingtldap_idmap_range_minsUpper bound for ID-mappingtldap_idmap_range_maxs,Number of IDs for each slice when ID-mappingtldap_idmap_range_sizes/Use autorid-compatible algorithm for ID-mappingtldap_idmap_autorid_compats)Name of the default domain for ID-mappingtldap_idmap_default_domains(SID of the default domain for ID-mappingtldap_idmap_default_domain_sidsNumber of secondary slicestldap_idmap_helper_table_sizes1Use LDAP_MATCHING_RULE_IN_CHAIN for group lookupst&ldap_groups_use_matching_rule_in_chains5Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookupst*ldap_initgroups_use_matching_rule_in_chainsWhether to use Token-Groupstldap_use_tokengroupss7Set lower boundary for allowed IDs from the LDAP servert ldap_min_ids7Set upper boundary for allowed IDs from the LDAP servert ldap_max_idsDN for ppolicy queriestldap_pwdlockout_dns;How many maximum entries to fetch during a wildcard requesttwildcard_limits*Policy to evaluate the password expirationtldap_pwd_policytldap_access_filtersCWhich attributes shall be used to evaluate if an account is expiredtldap_account_expire_policys5Which rules should be used to evaluate access controltldap_access_orders8URI of an LDAP server where password changes are allowedtldap_chpass_uris>URI of a backup LDAP server where password changes are allowedtldap_chpass_backup_uris0DNS service name for LDAP password change servertldap_chpass_dns_service_namesTWhether to update the ldap_user_shadow_last_change attribute after a password changetldap_chpass_update_last_changesBase DN for sudo rules lookupstldap_sudo_search_basesAutomatic full refresh periodtldap_sudo_full_refresh_intervalsAutomatic smart refresh periodt ldap_sudo_smart_refresh_intervals=Whether to filter rules by hostname, IP addresses and networktldap_sudo_use_host_filtersRHostnames and/or fully qualified domain names of this machine to filter sudo rulestldap_sudo_hostnamessFIPv4 or IPv6 addresses or network of this machine to filter sudo rulest ldap_sudo_ipsAWhether to include rules that contains netgroup in host attributetldap_sudo_include_netgroupssKWhether to include rules that contains regular expression in host attributetldap_sudo_include_regexpsObject class for sudo rulestldap_sudorule_object_classs=Name of attribute that is used as object class for sudo rulestldap_sudorule_object_class_attrsSudo rule nametldap_sudorule_namesSudo rule command attributetldap_sudorule_commandsSudo rule host attributetldap_sudorule_hostsSudo rule user attributetldap_sudorule_usersSudo rule option attributetldap_sudorule_optionsSudo rule runas attributetldap_sudorule_runassSudo rule runasuser attributetldap_sudorule_runasusersSudo rule runasgroup attributetldap_sudorule_runasgroupsSudo rule notbefore attributetldap_sudorule_notbeforesSudo rule notafter attributetldap_sudorule_notaftersSudo rule order attributetldap_sudorule_orders!Object class for automounter mapstldap_autofs_map_object_classsAutomounter map name attributetldap_autofs_map_names(Object class for automounter map entriestldap_autofs_entry_object_classs#Automounter map entry key attributetldap_autofs_entry_keys%Automounter map entry value attributetldap_autofs_entry_values#Base DN for automounter map lookupstldap_autofs_search_bases%Comma separated list of allowed userstsimple_allow_userss(Comma separated list of prohibited userstsimple_deny_userssDefault shell, /bin/bashsBase for home directoriestbase_directorys'The number of preforked proxy children.tproxy_max_childrens"The name of the NSS library to usetproxy_lib_names>Whether to look up canonical group name from cache if possibletproxy_fast_aliassPAM stack to usetproxy_pam_targetsPath of passwd file sources.t passwd_filessPath of group file sources.t group_filescCsg|D]}|j^qS(N(tstrip(tltx((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyt striplistscCs7g}x*|D]"}||kr |j|q q W|S(N(tappend(toptions1toptions2toverlaptoption((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytoptions_overlaps   tSSSDConfigSchemacBs>eZdZdZdZdZdZdZRS(cCs?tj||sd}n|s+d}nyyt|d}|j|WdQXxMtdtj|D]0}t|d|}|j|WdQXqoWWn*tk rntk rt nXit d6t d6t j dd krtnt d 6td 6td 6td 6dd6|_itd6td6|_dS(Ns/usr/share/sssd/sssd.api.confs/usr/share/sssd/sssd.api.dtrcSstjd|S(Ns^sssd-.*\.conf$(tretsearch(tf((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytst/tbooltintiitlongtfloattstrtlisttNonetfalsettrue(Rt__init__topentreadfptfiltertostlistdirtIOErrort SyntaxErrorRRRtsyst version_infoRRRRRt type_lookuptFalsetTruet bool_lookup(tselft schemafiletschemaplugindirtfdtfile((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRs6         c Cs|j|stn|j|}d}d}d}d}i}x|j|D]w}|d} t| jd} t| } |j| |} |j| |} |j| |}|dt krt |d}nd}| dkr | | ||df||d Return a dictionary of providers. === Returns === Returns a dictionary of providers, keyed on the primary type, with the value being a tuple of the subtypes it supports. Example: { 'ldap' : ('id', 'auth', 'chpass') } === Errors === No Errors (RR(R((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRsc Cs|j}||jkr:td|j|fn|dkrW|j|dS||}t}|dtkrt|tkrt|t krt |j d}q|g}nt||dkry|dt krt|t kr|j j|j}nD|dtkrGt|t krGt|d}n|d|}Wn-tk rqt}ntk rt}nX|rtd|d|t|fqnt|tkryzg}xm|D]e}|dt kr$t|t kr$|j|j j|jgq|j|d|gqWWn-tk r\t}ntk rrt}nX|rtd|dn|}n|jd}|dkr|| } y|j|| Wqtk rtqXn ||j|tj|t|||_d|_t|_d|_dS(s+ Initialize the SSSD config parser/editor. This constructor does not open or create a config file. If the schemafile and schemaplugindir are not passed, it will use the system defaults. schemafile: The path to the API schema config file. Usually /usr/share/sssd/sssd.api.conf schemaplugindir: The path the directory containing the provider schema config files. Usually /usr/share/sssd/sssd.api.d === Returns === The newly-created SSSDConfig object. === Errors === IOError: Exception raised when the schema file could not be opened for reading. ParsingError: The main schema file or one of those in the plugin directory could not be parsed. iN( RRRRRt configfileRt initializedt API_VERSION(RRR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR{s    cCs|jrtn|s!d}nt|d(}y|j|Wn tnXWdQX||_t|_y4t|jdd|j krtdnWnt k rnXdS(s Read in a config file, populating all of the service and domain objects with the read values. configfile: The path to the SSSD config file. If not specified, use the system default, usually /etc/sssd.conf === Returns === No return value === Errors === IOError: Exception raised when the file could not be opened for reading ParsingError: Exception raised when errors occur attempting to parse a file. AlreadyInitializedError: This SSSDConfig object was already initialized by a call to import_config() or new_config() s/etc/sssd/sssd.confRNtsssdtconfig_file_versionsWrong config_file_version( RRRRRRRRtgetRR(RRR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyt import_configs      ! cCsH|jrtnt|_x&|jjD]}|j|}q+WdS(s/ Initialize the SSSDConfig object with the defaults from the schema. === Returns === No return value === Errors === AlreadyInitializedError: This SSSDConfig object was already initialized by a call to import_config() or new_config() N(RRRRRt new_service(RRR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyt new_configs   cCs|jstn|dkrB|jdkr6tn|j}ntjd}t|d/}|j|j j d}|j |WdQXtj|dS(s Write out the configuration to a file. outputfile: The path to write the new config file. If it is not specified, it will use the path specified by the import() call. === Returns === No return value === Errors === IOError: Exception raised when the file could not be opened for writing NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. NoOutputFileError: No outputfile was specified and this SSSDConfig object was not initialized by import() itwbsutf-8N( RRRRRRtumaskRtdumptoptstencodetwrite(Rt outputfilet old_umasktoftoutput((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRs     cCs|jstn|jddrt|jddjd}tj|}d|krj|d=n|j}x*t |D]}||kr||=qqWt |}ng}|S(s Return a list of all active services. === Returns === The list of active services. === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. RR!Rt( RRRRRRRtfromkeyst list_servicesR(Rtactive_servicest service_dicttconfigured_servicestsrv((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytlist_active_servicess  !    cCs}|jstn|jddrHt|jddjd}ng}g|jD]}||kr[|^q[}|S(s Return a list of all disabled services. === Returns === The list of inactive services. === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. RR!R(RRRRRRR$(RR%RR!((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytlist_inactive_services!s  $cCsL|jstng|jD]#}|djds|d^q}|S(s  Retrieve a list of known services. === Returns === The list of known services. === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. RR(RRRR(RRR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR$9s  #cCs|jstn|j|s*tnt||j}xP|j|j|D]6}y|j|d|dWqUt k rqUXqUW|S(s Get an SSSDService object to edit a service. name: The name of the service to return. === Returns === An SSSDService instance containing the current state of a service in the SSSDConfig === Errors === NoServiceError: There is no such service with the specified name in the SSSDConfig. NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. RR( RRRRRRRRRR (RRRR ((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyt get_serviceLs    cCsS|jstn|j|r0t|nt||j}|j||S(s Create a new service from the defaults and return the SSSDService object for it. This function will also add this service to the list of active services in the [SSSD] section. name: The name of the service to create and return. === Returns === The newly-created SSSDService object === Errors === ServiceNotRecognizedError: There is no such service in the schema. ServiceAlreadyExistsError: The service being created already exists in the SSSDConfig object. NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. (RRRR RRt save_service(RRR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRns   cCs|jstn||jkr-tn|jddd}|s`|jdd|dStjt|dj d}d|kr|d=nd||<|jdddj |j dS( s Activate a service name: The name of the service to activate === Returns === No return value === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. NoServiceError: There is no such service with the specified name in the SSSDConfig. RR!iNRRR"s, ( RRR$Rtget_option_indextsetRR#RRRtjoinR(RRtitemR&((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytactivate_services   "   cCs|jstn||jkr-tn|jddd}|s`|jddddStjt|dj d}d|kr|d=n||kr||=n|jdddj |j dS( s Deactivate a service name: The name of the service to deactivate === Returns === No return value === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. NoServiceError: There is no such service with the specified name in the SSSDConfig. RR!iR"NRRs, ( RRR$RR-R.RR#RRR/R(RRR0R&((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytdeactivate_services   "    cCs&|jstn|jd|dS(s Remove a service from the SSSDConfig object. This function will also remove this service from the list of active services in the [SSSD] section. Has no effect if the service does not exist. === Returns === No return value === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. RN(RRt delete_option(RR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytdelete_services  cCs|jstnt|ts*tn|j}|jd|}g}x|jjD]v\}}t |t krdj |}n|dkr|j |}n|j idd6|d6t|d6qaW|j|||dS( s Save the changes made to the service object back to the SSSDConfig object. service_object: The SSSDService object to save to the configuration. === Returns === No return value === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. TypeError: service_object was not of the type SSSDService Rs, RRRRRN(RRRRRRR3RtitemsRRR/t_get_debug_level_valRRt add_section(RRRtindextaddkwRR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR,s      cCs|jstn|jddrt|jddjd}tj|}d|krj|d=n|j}x*t |D]}||kr||=qqWt |}ng}|S(s Return a list of all active domains. === Returns === The list of configured, active domains. === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. RR"RR"( RRRRRRRR#t list_domainsR(Rtactive_domainst domain_dicttconfigured_domainstdom((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytlist_active_domainss  !    cCs}|jstn|jddrHt|jddjd}ng}g|jD]}||kr[|^q[}|S(s. Return a list of all configured, but disabled domains. === Returns === The list of configured, inactive domains. === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. RR"R(RRRRRRR:(RR;RR"((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytlist_inactive_domains>s  $cCsP|jstng|jD]'}|djdr|dd^q}|S(sL Return a list of all configured domains, including inactive domains. === Returns === The list of configured domains, both active and inactive. === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. Rsdomain/i(RRRR(RRR"((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyR:Vs  :cCse|jstn|jd|s4t|nt||j}g|j|jd|D]3}|djddkrc|d|df^qc}x<|D]4\}}y|j ||Wqt k rqXqWxq|j|jd|D]S}|d|df|kry|j |d|dWqKt k rGqKXqqW|j ||_ |S(s Get an SSSDDomain object to edit a domain. name: The name of the domain to return. === Returns === An SSSDDomain instance containing the current state of a domain in the SSSDConfig === Errors === NoDomainError: There is no such domain with the specified name in the SSSDConfig. NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. s domain/%sRRiR( RRRR RRRRRRR tis_domain_activeR(RRRRRRRR ((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyt get_domaings(  #3 #  cCsQ|jstn|jd|r.tnt||j}|j||S(s Create a new, empty domain and return the SSSDDomain object for it. name: The name of the domain to create and return. === Returns === The newly-created SSSDDomain object === Errors === DomainAlreadyExistsError: The service being created already exists in the SSSDConfig object. NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. s domain/%s(RRRRRRt save_domain(RRR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyt new_domains    cCs=|jstn||jkr-tn||jkS(s Is a particular domain set active name: The name of the configured domain to check === Returns === True if the domain is active, False if it is inactive === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. NoDomainError: No domain by this name is configured (RRR:R R?(RR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRAs    cCs|jstn||jkr-tn|jddd}|s`|jdd|dStjt|dj d}d|kr|d=nd||<|jdddj |j dS( s Activate a configured domain name: The name of the configured domain to activate === Returns === No return value === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. NoDomainError: No domain by this name is configured RR"iNRRR"s, ( RRR:R R-R.RR#RRRR/R(RRR0R<((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytactivate_domains   "   cCs|jstn||jkr-tn|jddd}|s`|jddddStjt|dj d}d|kr|d=n||kr||=n|jdddj |j dS( s Deactivate a configured domain name: The name of the configured domain to deactivate === Returns === No return value === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. NoDomainError: No domain by this name is configured RR"iR"NRRs, ( RRR:R R-R.RR#RRR/R(RRR0R<((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pytdeactivate_domains   "    cCs7|jstn|j||jdd|dS(s Remove a domain from the SSSDConfig object. This function will also remove this domain from the list of active domains in the [SSSD] section, if it is there. === Returns === No return value === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. Rs domain/%sN(RRRFR3(RR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyt delete_domain$s   c Cs|jstnt|ts*tn|j}d }|jr|j|kr|j|j|j dd|j}d |_nd|}|j |j d|\}}||j kr|j |gnxa|j|D]P}|ddkr|d|jkr6|j|dd|dtq6qqWx{|jjD]g\}}t|tkr}dj|}n|dkr|j|}n|j||t|qMW|jr|j|n |j|d S( s9 Save the changes made to the domain object back to the SSSDConfig object. If this domain is marked active, ensure it is present in the active domain list in the [SSSD] section domain_object: The SSSDDomain object to save to the configuration. === Returns === No return value === Errors === NotInitializedError: This SSSDConfig object has not had import_config() or new_config() run on it yet. TypeError: domain_object was not of type SSSDDomain Rs domain/%sRRRRs, RN(RRRRRRRRRFR3tfindOptsRR:R7RRtdelete_option_subtreeRR5RRR/R6R.RRRE( RRRtoldindext sectionnametnotsection_subtreeRR((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRC9s8        (  N(RRRRRRRRR)R*R$R+RR1R2R4R,R?R@R:RBRDRARERFRGRC(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyRvs0 -  $ "   "  * *  * "   5   * * ((RRtgettextRRt ipachangeconfRt ExceptionRRRRRRR R R R R RRRRRtPACKAGEt LOCALEDIRt translationRRt_tugettextRRRRtobjectRRRR(((s7/usr/lib/python2.7/site-packages/SSSDConfig/__init__.pyts0                                                                                                                                                                                                                                                                                                                                                                                           <