803 lines
21 KiB
INI
803 lines
21 KiB
INI
[rule/allowed_sections]
|
|
validator = ini_allowed_sections
|
|
section = sssd
|
|
section = nss
|
|
section = pam
|
|
section = sudo
|
|
section = autofs
|
|
section = ssh
|
|
section = pac
|
|
section = ifp
|
|
section = kcm
|
|
section = session_recording
|
|
section_re = ^prompting/password$
|
|
section_re = ^prompting/password/[^/\@]\+$
|
|
section_re = ^prompting/2fa$
|
|
section_re = ^prompting/2fa/[^/\@]\+$
|
|
section_re = ^domain/[^/\@]\+$
|
|
section_re = ^domain/[^/\@]\+/[^/\@]\+$
|
|
section_re = ^application/[^/\@]\+$
|
|
section_re = ^certmap/[^/\@]\+/[^/\@]\+$
|
|
|
|
|
|
[rule/allowed_sssd_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^sssd$
|
|
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
|
|
# Monitor service
|
|
option = services
|
|
option = domains
|
|
option = timeout
|
|
option = re_expression
|
|
option = full_name_format
|
|
option = krb5_rcache_dir
|
|
option = user
|
|
option = default_domain_suffix
|
|
option = certificate_verification
|
|
option = override_space
|
|
option = config_file_version
|
|
option = disable_netlink
|
|
option = enable_files_domain
|
|
option = domain_resolution_order
|
|
option = try_inotify
|
|
option = monitor_resolv_conf
|
|
|
|
[rule/allowed_nss_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^nss$
|
|
|
|
option = timeout
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
option = responder_idle_timeout
|
|
option = cache_first
|
|
|
|
# Name service
|
|
option = user_attributes
|
|
option = enum_cache_timeout
|
|
option = entry_cache_nowait_percentage
|
|
option = entry_negative_timeout
|
|
option = local_negative_timeout
|
|
option = filter_users
|
|
option = filter_groups
|
|
option = filter_users_in_groups
|
|
option = pwfield
|
|
option = override_homedir
|
|
option = fallback_homedir
|
|
option = homedir_substring
|
|
option = override_shell
|
|
option = allowed_shells
|
|
option = vetoed_shells
|
|
option = shell_fallback
|
|
option = default_shell
|
|
option = get_domains_timeout
|
|
option = memcache_timeout
|
|
option = memcache_size_passwd
|
|
option = memcache_size_group
|
|
option = memcache_size_initgroups
|
|
|
|
[rule/allowed_pam_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^pam$
|
|
|
|
option = timeout
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
option = responder_idle_timeout
|
|
option = cache_first
|
|
|
|
# Authentication service
|
|
option = offline_credentials_expiration
|
|
option = offline_failed_login_attempts
|
|
option = offline_failed_login_delay
|
|
option = pam_verbosity
|
|
option = pam_response_filter
|
|
option = pam_id_timeout
|
|
option = pam_pwd_expiration_warning
|
|
option = get_domains_timeout
|
|
option = pam_trusted_users
|
|
option = pam_public_domains
|
|
option = pam_account_expired_message
|
|
option = pam_account_locked_message
|
|
option = pam_cert_auth
|
|
option = pam_cert_db_path
|
|
option = pam_cert_verification
|
|
option = p11_child_timeout
|
|
option = pam_app_services
|
|
option = pam_p11_allowed_services
|
|
option = p11_wait_for_card_timeout
|
|
option = p11_uri
|
|
option = pam_initgroups_scheme
|
|
option = pam_gssapi_services
|
|
option = pam_gssapi_check_upn
|
|
option = pam_gssapi_indicators_map
|
|
|
|
[rule/allowed_sudo_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^sudo$
|
|
|
|
option = timeout
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
option = responder_idle_timeout
|
|
option = cache_first
|
|
|
|
# sudo service
|
|
option = sudo_timed
|
|
option = sudo_inverse_order
|
|
option = sudo_threshold
|
|
|
|
[rule/allowed_autofs_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^autofs$
|
|
|
|
option = timeout
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
option = responder_idle_timeout
|
|
option = cache_first
|
|
|
|
# autofs service
|
|
option = autofs_negative_timeout
|
|
|
|
[rule/allowed_ssh_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^ssh$
|
|
|
|
option = timeout
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
option = responder_idle_timeout
|
|
option = cache_first
|
|
|
|
# ssh service
|
|
option = ssh_hash_known_hosts
|
|
option = ssh_known_hosts_timeout
|
|
option = ca_db
|
|
option = ssh_use_certificate_keys
|
|
option = ssh_use_certificate_matching_rules
|
|
|
|
[rule/allowed_pac_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^pac$
|
|
|
|
option = timeout
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
option = responder_idle_timeout
|
|
option = cache_first
|
|
|
|
# PAC responder
|
|
option = allowed_uids
|
|
option = pac_lifetime
|
|
|
|
[rule/allowed_ifp_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^ifp$
|
|
|
|
option = timeout
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
option = responder_idle_timeout
|
|
option = cache_first
|
|
|
|
# InfoPipe responder
|
|
option = allowed_uids
|
|
option = user_attributes
|
|
|
|
# KCM responder
|
|
[rule/allowed_kcm_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^kcm$
|
|
|
|
option = timeout
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
option = socket_path
|
|
option = ccache_storage
|
|
option = responder_idle_timeout
|
|
option = max_ccaches
|
|
option = max_uid_ccaches
|
|
option = max_ccache_size
|
|
option = tgt_renewal
|
|
option = tgt_renewal_inherit
|
|
option = krb5_lifetime
|
|
option = krb5_renewable_lifetime
|
|
option = krb5_renew_interval
|
|
option = krb5_validate
|
|
option = krb5_canonicalize
|
|
option = krb5_auth_timeout
|
|
|
|
# Session recording
|
|
[rule/allowed_session_recording_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^session_recording$
|
|
|
|
option = scope
|
|
option = users
|
|
option = groups
|
|
option = exclude_users
|
|
option = exclude_groups
|
|
|
|
# Prompting during authentication
|
|
[rule/allowed_prompting_password_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^prompting/password$
|
|
|
|
option = password_prompt
|
|
|
|
[rule/allowed_prompting_2fa_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^prompting/2fa$
|
|
|
|
option = single_prompt
|
|
option = first_prompt
|
|
option = second_prompt
|
|
|
|
[rule/allowed_prompting_password_subsec_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^prompting/password/[^/\@]\+$
|
|
|
|
option = password_prompt
|
|
|
|
[rule/allowed_prompting_2fa_subsec_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^prompting/2fa/[^/\@]\+$
|
|
|
|
option = single_prompt
|
|
option = first_prompt
|
|
option = second_prompt
|
|
|
|
|
|
[rule/allowed_domain_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^\(domain\|application\)/[^/]\+$
|
|
|
|
option = debug
|
|
option = debug_level
|
|
option = debug_timestamps
|
|
option = debug_microseconds
|
|
option = debug_backtrace_enabled
|
|
option = command
|
|
option = reconnection_retries
|
|
option = fd_limit
|
|
option = client_idle_timeout
|
|
option = description
|
|
|
|
#Available provider types
|
|
option = id_provider
|
|
option = auth_provider
|
|
option = access_provider
|
|
option = chpass_provider
|
|
option = sudo_provider
|
|
option = autofs_provider
|
|
option = hostid_provider
|
|
option = subdomains_provider
|
|
option = selinux_provider
|
|
option = session_provider
|
|
option = resolver_provider
|
|
|
|
# Options available to all domains
|
|
option = enabled
|
|
option = domain_type
|
|
option = min_id
|
|
option = max_id
|
|
option = timeout
|
|
option = enumerate
|
|
option = subdomain_enumerate
|
|
option = offline_timeout
|
|
option = offline_timeout_max
|
|
option = offline_timeout_random_offset
|
|
option = cache_credentials
|
|
option = cache_credentials_minimal_first_factor_length
|
|
option = use_fully_qualified_names
|
|
option = ignore_group_members
|
|
option = entry_cache_timeout
|
|
option = lookup_family_order
|
|
option = account_cache_expiration
|
|
option = pwd_expiration_warning
|
|
option = filter_users
|
|
option = filter_groups
|
|
option = dns_resolver_server_timeout
|
|
option = dns_resolver_op_timeout
|
|
option = dns_resolver_timeout
|
|
option = dns_discovery_domain
|
|
option = override_gid
|
|
option = case_sensitive
|
|
option = override_homedir
|
|
option = fallback_homedir
|
|
option = homedir_substring
|
|
option = override_shell
|
|
option = default_shell
|
|
option = description
|
|
option = realmd_tags
|
|
option = subdomain_refresh_interval
|
|
option = subdomain_inherit
|
|
option = subdomain_homedir
|
|
option = cached_auth_timeout
|
|
option = wildcard_limit
|
|
option = full_name_format
|
|
option = re_expression
|
|
option = auto_private_groups
|
|
option = pam_gssapi_services
|
|
option = pam_gssapi_check_upn
|
|
option = pam_gssapi_indicators_map
|
|
|
|
#Entry cache timeouts
|
|
option = entry_cache_user_timeout
|
|
option = entry_cache_group_timeout
|
|
option = entry_cache_netgroup_timeout
|
|
option = entry_cache_service_timeout
|
|
option = entry_cache_autofs_timeout
|
|
option = entry_cache_sudo_timeout
|
|
option = entry_cache_ssh_host_timeout
|
|
option = entry_cache_computer_timeout
|
|
option = entry_cache_resolver_timeout
|
|
option = refresh_expired_interval
|
|
|
|
# Dynamic DNS updates
|
|
option = dyndns_update
|
|
option = dyndns_ttl
|
|
option = dyndns_iface
|
|
option = dyndns_refresh_interval
|
|
option = dyndns_update_ptr
|
|
option = dyndns_force_tcp
|
|
option = dyndns_auth
|
|
option = dyndns_auth_ptr
|
|
option = dyndns_server
|
|
|
|
# files provider specific options
|
|
option = passwd_files
|
|
option = group_files
|
|
|
|
# proxy provider specific options
|
|
option = proxy_lib_name
|
|
option = proxy_resolver_lib_name
|
|
option = proxy_fast_alias
|
|
option = proxy_pam_target
|
|
option = proxy_max_children
|
|
|
|
# simple access provider specific options
|
|
option = simple_allow_users
|
|
option = simple_deny_users
|
|
option = simple_allow_groups
|
|
option = simple_deny_groups
|
|
|
|
# AD provider specific options
|
|
option = ad_access_filter
|
|
option = ad_backup_server
|
|
option = ad_domain
|
|
option = ad_enable_dns_sites
|
|
option = ad_enabled_domains
|
|
option = ad_enable_gc
|
|
option = ad_gpo_access_control
|
|
option = ad_gpo_implicit_deny
|
|
option = ad_gpo_ignore_unreadable
|
|
option = ad_gpo_cache_timeout
|
|
option = ad_gpo_default_right
|
|
option = ad_gpo_map_batch
|
|
option = ad_gpo_map_deny
|
|
option = ad_gpo_map_interactive
|
|
option = ad_gpo_map_network
|
|
option = ad_gpo_map_permit
|
|
option = ad_gpo_map_remote_interactive
|
|
option = ad_gpo_map_service
|
|
option = ad_hostname
|
|
option = ad_machine_account_password_renewal_opts
|
|
option = ad_maximum_machine_account_password_age
|
|
option = ad_server
|
|
option = ad_site
|
|
option = ad_update_samba_machine_account_password
|
|
option = ad_use_ldaps
|
|
option = ad_allow_remote_domain_local_groups
|
|
|
|
# IPA provider specific options
|
|
option = ipa_anchor_uuid
|
|
option = ipa_automount_location
|
|
option = ipa_backup_server
|
|
option = ipa_deskprofile_refresh
|
|
option = ipa_deskprofile_request_interval
|
|
option = ipa_deskprofile_search_base
|
|
option = ipa_subid_ranges_search_base
|
|
option = ipa_domain
|
|
option = ipa_dyndns_iface
|
|
option = ipa_dyndns_ttl
|
|
option = ipa_dyndns_update
|
|
option = ipa_enable_dns_sites
|
|
option = ipa_group_override_object_class
|
|
option = ipa_hbac_refresh
|
|
option = ipa_hbac_search_base
|
|
option = ipa_hbac_support_srchost
|
|
option = ipa_host_fqdn
|
|
option = ipa_hostgroup_memberof
|
|
option = ipa_hostgroup_member
|
|
option = ipa_hostgroup_name
|
|
option = ipa_hostgroup_objectclass
|
|
option = ipa_hostgroup_uuid
|
|
option = ipa_host_member_of
|
|
option = ipa_host_name
|
|
option = ipa_hostname
|
|
option = ipa_host_object_class
|
|
option = ipa_host_search_base
|
|
option = ipa_host_serverhostname
|
|
option = ipa_host_ssh_public_key
|
|
option = ipa_host_uuid
|
|
option = ipa_master_domain_search_base
|
|
option = ipa_netgroup_domain
|
|
option = ipa_netgroup_member_ext_host
|
|
option = ipa_netgroup_member_host
|
|
option = ipa_netgroup_member_of
|
|
option = ipa_netgroup_member
|
|
option = ipa_netgroup_member_user
|
|
option = ipa_netgroup_name
|
|
option = ipa_netgroup_object_class
|
|
option = ipa_netgroup_uuid
|
|
option = ipa_override_object_class
|
|
option = ipa_ranges_search_base
|
|
option = ipa_selinux_refresh
|
|
option = ipa_selinux_usermap_enabled
|
|
option = ipa_selinux_usermap_host_category
|
|
option = ipa_selinux_usermap_member_host
|
|
option = ipa_selinux_usermap_member_user
|
|
option = ipa_selinux_usermap_name
|
|
option = ipa_selinux_usermap_object_class
|
|
option = ipa_selinux_usermap_see_also
|
|
option = ipa_selinux_usermap_selinux_user
|
|
option = ipa_selinux_usermap_user_category
|
|
option = ipa_selinux_usermap_uuid
|
|
option = ipa_server_mode
|
|
option = ipa_server
|
|
option = ipa_subdomains_search_base
|
|
option = ipa_sudocmdgroup_entry_usn
|
|
option = ipa_sudocmdgroup_member
|
|
option = ipa_sudocmdgroup_name
|
|
option = ipa_sudocmdgroup_object_class
|
|
option = ipa_sudocmdgroup_uuid
|
|
option = ipa_sudocmd_memberof
|
|
option = ipa_sudocmd_object_class
|
|
option = ipa_sudocmd_sudoCmd
|
|
option = ipa_sudocmd_uuid
|
|
option = ipa_sudorule_allowcmd
|
|
option = ipa_sudorule_cmdcategory
|
|
option = ipa_sudorule_denycmd
|
|
option = ipa_sudorule_enabled_flag
|
|
option = ipa_sudorule_entry_usn
|
|
option = ipa_sudorule_externaluser
|
|
option = ipa_sudorule_hostcategory
|
|
option = ipa_sudorule_host
|
|
option = ipa_sudorule_name
|
|
option = ipa_sudorule_notafter
|
|
option = ipa_sudorule_notbefore
|
|
option = ipa_sudorule_object_class
|
|
option = ipa_sudorule_option
|
|
option = ipa_sudorule_runasextgroup
|
|
option = ipa_sudorule_runasextusergroup
|
|
option = ipa_sudorule_runasextuser
|
|
option = ipa_sudorule_runasgroupcategory
|
|
option = ipa_sudorule_runasgroup
|
|
option = ipa_sudorule_runasusercategory
|
|
option = ipa_sudorule_sudoorder
|
|
option = ipa_sudorule_usercategory
|
|
option = ipa_sudorule_user
|
|
option = ipa_sudorule_uuid
|
|
option = ipa_user_override_object_class
|
|
option = ipa_view_class
|
|
option = ipa_view_name
|
|
option = ipa_views_search_base
|
|
|
|
# krb5 provider specific options
|
|
option = krb5_auth_timeout
|
|
option = krb5_backup_kpasswd
|
|
option = krb5_backup_server
|
|
option = krb5_canonicalize
|
|
option = krb5_ccachedir
|
|
option = krb5_ccname_template
|
|
option = krb5_confd_path
|
|
option = krb5_fast_principal
|
|
option = krb5_kdcip
|
|
option = krb5_keytab
|
|
option = krb5_kpasswd
|
|
option = krb5_lifetime
|
|
option = krb5_map_user
|
|
option = krb5_realm
|
|
option = krb5_realm
|
|
option = krb5_renewable_lifetime
|
|
option = krb5_renew_interval
|
|
option = krb5_server
|
|
option = krb5_store_password_if_offline
|
|
option = krb5_use_enterprise_principal
|
|
option = krb5_use_subdomain_realm
|
|
option = krb5_use_fast
|
|
option = krb5_use_kdcinfo
|
|
option = krb5_validate
|
|
|
|
# ldap provider specific options
|
|
option = ldap_access_filter
|
|
option = ldap_access_order
|
|
option = ldap_account_expire_policy
|
|
option = ldap_autofs_entry_key
|
|
option = ldap_autofs_entry_object_class
|
|
option = ldap_autofs_entry_value
|
|
option = ldap_autofs_map_master_name
|
|
option = ldap_autofs_map_name
|
|
option = ldap_autofs_map_object_class
|
|
option = ldap_autofs_search_base
|
|
option = ldap_backup_uri
|
|
option = ldap_chpass_backup_uri
|
|
option = ldap_chpass_dns_service_name
|
|
option = ldap_chpass_update_last_change
|
|
option = ldap_chpass_uri
|
|
option = ldap_connection_expire_timeout
|
|
option = ldap_connection_expire_offset
|
|
option = ldap_default_authtok
|
|
option = ldap_default_authtok_type
|
|
option = ldap_default_bind_dn
|
|
option = ldap_deref
|
|
option = ldap_deref_threshold
|
|
option = ldap_disable_paging
|
|
option = ldap_disable_range_retrieval
|
|
option = ldap_dns_service_name
|
|
option = ldap_entry_usn
|
|
option = ldap_enumeration_refresh_timeout
|
|
option = ldap_enumeration_search_timeout
|
|
option = ldap_force_upper_case_realm
|
|
option = ldap_group_entry_usn
|
|
option = ldap_group_external_member
|
|
option = ldap_group_gid_number
|
|
option = ldap_group_member
|
|
option = ldap_group_modify_timestamp
|
|
option = ldap_group_name
|
|
option = ldap_group_nesting_level
|
|
option = ldap_group_object_class
|
|
option = ldap_group_objectsid
|
|
option = ldap_group_search_base
|
|
option = ldap_group_search_filter
|
|
option = ldap_group_search_scope
|
|
option = ldap_group_type
|
|
option = ldap_group_uuid
|
|
option = ldap_idmap_autorid_compat
|
|
option = ldap_idmap_default_domain_sid
|
|
option = ldap_idmap_default_domain
|
|
option = ldap_idmap_helper_table_size
|
|
option = ldap_id_mapping
|
|
option = ldap_idmap_range_max
|
|
option = ldap_idmap_range_min
|
|
option = ldap_idmap_range_size
|
|
option = ldap_id_use_start_tls
|
|
option = ldap_krb5_init_creds
|
|
option = ldap_krb5_keytab
|
|
option = ldap_krb5_ticket_lifetime
|
|
option = ldap_library_debug_level
|
|
option = ldap_max_id
|
|
option = ldap_min_id
|
|
option = ldap_netgroup_member
|
|
option = ldap_netgroup_modify_timestamp
|
|
option = ldap_netgroup_name
|
|
option = ldap_netgroup_object_class
|
|
option = ldap_netgroup_search_base
|
|
option = ldap_netgroup_triple
|
|
option = ldap_network_timeout
|
|
option = ldap_ns_account_lock
|
|
option = ldap_offline_timeout
|
|
option = ldap_opt_timeout
|
|
option = ldap_page_size
|
|
option = ldap_purge_cache_timeout
|
|
option = ldap_pwd_attribute
|
|
option = ldap_pwdlockout_dn
|
|
option = ldap_pwd_policy
|
|
option = ldap_referrals
|
|
option = ldap_rfc2307_fallback_to_local_users
|
|
option = ldap_rootdse_last_usn
|
|
option = ldap_sasl_authid
|
|
option = ldap_sasl_canonicalize
|
|
option = ldap_sasl_mech
|
|
option = ldap_sasl_minssf
|
|
option = ldap_sasl_maxssf
|
|
option = ldap_sasl_realm
|
|
option = ldap_schema
|
|
option = ldap_pwmodify_mode
|
|
option = ldap_search_base
|
|
option = ldap_search_timeout
|
|
option = ldap_service_entry_usn
|
|
option = ldap_service_name
|
|
option = ldap_service_object_class
|
|
option = ldap_service_port
|
|
option = ldap_service_proto
|
|
option = ldap_service_search_base
|
|
option = ldap_sudo_full_refresh_interval
|
|
option = ldap_sudo_hostnames
|
|
option = ldap_sudo_include_netgroups
|
|
option = ldap_sudo_include_regexp
|
|
option = ldap_sudo_ip
|
|
option = ldap_sudorule_command
|
|
option = ldap_sudorule_host
|
|
option = ldap_sudorule_name
|
|
option = ldap_sudorule_notafter
|
|
option = ldap_sudorule_notbefore
|
|
option = ldap_sudorule_object_class
|
|
option = ldap_sudorule_option
|
|
option = ldap_sudorule_order
|
|
option = ldap_sudorule_runasgroup
|
|
option = ldap_sudorule_runas
|
|
option = ldap_sudorule_runasuser
|
|
option = ldap_sudorule_user
|
|
option = ldap_sudo_search_base
|
|
option = ldap_sudo_smart_refresh_interval
|
|
option = ldap_sudo_random_offset
|
|
option = ldap_sudo_use_host_filter
|
|
option = ldap_tls_cacertdir
|
|
option = ldap_tls_cacert
|
|
option = ldap_tls_cert
|
|
option = ldap_tls_cipher_suite
|
|
option = ldap_tls_key
|
|
option = ldap_tls_reqcert
|
|
option = ldap_uri
|
|
option = ldap_user_ad_account_expires
|
|
option = ldap_user_ad_user_account_control
|
|
option = ldap_user_authorized_host
|
|
option = ldap_user_authorized_rhost
|
|
option = ldap_user_authorized_service
|
|
option = ldap_user_auth_type
|
|
option = ldap_user_certificate
|
|
option = ldap_user_email
|
|
option = ldap_user_entry_usn
|
|
option = ldap_user_extra_attrs
|
|
option = ldap_user_fullname
|
|
option = ldap_user_gecos
|
|
option = ldap_user_gid_number
|
|
option = ldap_user_home_directory
|
|
option = ldap_user_krb_last_pwd_change
|
|
option = ldap_user_krb_password_expiration
|
|
option = ldap_user_member_of
|
|
option = ldap_user_modify_timestamp
|
|
option = ldap_user_name
|
|
option = ldap_user_nds_login_allowed_time_map
|
|
option = ldap_user_nds_login_disabled
|
|
option = ldap_user_nds_login_expiration_time
|
|
option = ldap_user_object_class
|
|
option = ldap_user_objectsid
|
|
option = ldap_user_primary_group
|
|
option = ldap_user_principal
|
|
option = ldap_user_search_base
|
|
option = ldap_user_search_filter
|
|
option = ldap_user_search_scope
|
|
option = ldap_user_shadow_expire
|
|
option = ldap_user_shadow_flag
|
|
option = ldap_user_shadow_inactive
|
|
option = ldap_user_shadow_last_change
|
|
option = ldap_user_shadow_max
|
|
option = ldap_user_shadow_min
|
|
option = ldap_user_shadow_warning
|
|
option = ldap_user_shell
|
|
option = ldap_user_ssh_public_key
|
|
option = ldap_user_uid_number
|
|
option = ldap_user_uuid
|
|
option = ldap_use_tokengroups
|
|
option = ldap_host_object_class
|
|
option = ldap_host_name
|
|
option = ldap_host_fqdn
|
|
option = ldap_host_serverhostname
|
|
option = ldap_host_member_of
|
|
option = ldap_host_search_base
|
|
option = ldap_host_ssh_public_key
|
|
option = ldap_host_uuid
|
|
option = ldap_iphost_search_base
|
|
option = ldap_iphost_object_class
|
|
option = ldap_iphost_name
|
|
option = ldap_iphost_number
|
|
option = ldap_iphost_entry_usn
|
|
option = ldap_ipnetwork_search_base
|
|
option = ldap_ipnetwork_object_class
|
|
option = ldap_ipnetwork_name
|
|
option = ldap_ipnetwork_number
|
|
option = ldap_ipnetwork_entry_usn
|
|
|
|
# For application domains
|
|
option = inherit_from
|
|
|
|
[rule/allowed_subdomain_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^domain/[^/\@]\+/[^/\@]\+$
|
|
|
|
option = ldap_search_base
|
|
option = ldap_user_search_base
|
|
option = ldap_group_search_base
|
|
option = ldap_netgroup_search_base
|
|
option = ldap_service_search_base
|
|
option = ldap_sasl_mech
|
|
option = ad_server
|
|
option = ad_backup_server
|
|
option = ad_site
|
|
option = use_fully_qualified_names
|
|
option = auto_private_groups
|
|
option = pam_gssapi_services
|
|
option = pam_gssapi_check_upn
|
|
option = pam_gssapi_indicators_map
|
|
|
|
[rule/sssd_checks]
|
|
validator = sssd_checks
|
|
|
|
[rule/allowed_certmap_options]
|
|
validator = ini_allowed_options
|
|
section_re = ^certmap/[^/\@]\+/[^/\@]\+$
|
|
|
|
option = matchrule
|
|
option = maprule
|
|
option = priority
|
|
option = domains
|